MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1c24ae77d5605d4fa7c779ca4d720869a66bf3832bcca3c8bb4f3bf20b97575. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1c24ae77d5605d4fa7c779ca4d720869a66bf3832bcca3c8bb4f3bf20b97575
SHA3-384 hash: 4f001b818ccf61ac69883df26bd74b22e2adc3fd48e3d2eeb92ae95ad33e5b0bfee0cdb33343d4a1b297dea26fc8a5db
SHA1 hash: a8eba2e6e650a8edc9bc70698b1c749008822160
MD5 hash: 2018cf61c1bcb571163a755755249cf3
humanhash: glucose-red-alaska-vegan
File name:2018cf61_by_Libranalysis
Download: download sample
Signature AgentTesla
Create hunting rule
File size:392'708 bytes
First seen:2021-05-19 20:02:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k96JbQzSq77tk3BJvPhQO8gZ2NSijMVMj8wjmlwdZ+qlj3+mhTH/760Fs9v:n+Ss+33PhN8gZOS5+QImlwiUDZVQv
Threatray 5'134 similar samples on MalwareBazaar
TLSH 9D841296FAE5CCF2C0111AB89D1ECBD5E63ABB016A280A7357B46EDEDCB5343980D045
Reporter Libranalysis
Tags:AgentTesla


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2018cf61_by_Libranalysis
Verdict:
Suspicious activity
Analysis date:
2021-05-19 20:25:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/758d2b19-c31b-4f74-bc14-9807d827ed08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/158805/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Moving a recently created file
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785329
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417728 Sample: 2018cf61_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 9 other signatures 2->58 7 svchost.com 1 2->7         started        11 2018cf61_by_Libranalysis.exe 4 2->11         started        13 svchost.com 1 2->13         started        process3 file4 36 C:\...\protocolhandler.exe, PE32 7->36 dropped 38 C:\Program Files (x86)\...\misc.exe, PE32 7->38 dropped 40 C:\Program Files (x86)\...\lynchtmlconv.exe, PE32 7->40 dropped 48 98 other malicious files 7->48 dropped 76 Drops executable to a common third party application directory 7->76 78 Infects executable files (exe, dll, sys, html) 7->78 15 dcebi.exe 7->15         started        42 C:\Windows\svchost.com, PE32 11->42 dropped 44 C:\Users\...\2018cf61_by_Libranalysis.exe, PE32 11->44 dropped 46 C:\ProgramData\...\vcredist_x86.exe, PE32 11->46 dropped 50 9 other malicious files 11->50 dropped 80 Creates an undocumented autostart registry key 11->80 82 Drops PE files with a suspicious file extension 11->82 17 2018cf61_by_Libranalysis.exe 1 23 11->17         started        84 Sample is not signed and drops a device driver 13->84 21 dcebi.exe 19 13->21         started        signatures5 process6 file7 28 C:\Users\user\AppData\Roaming\...\dcebi.exe, PE32 17->28 dropped 30 C:\Users\user\AppData\Local\...\System.dll, PE32 17->30 dropped 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->60 62 Maps a DLL or memory area into another process 17->62 23 2018cf61_by_Libranalysis.exe 2 17->23         started        32 C:\Users\user\AppData\...\tjpaaaznjjlvrkv, DOS 21->32 dropped 34 C:\Users\user\AppData\Local\...\System.dll, PE32 21->34 dropped 64 Detected unpacking (changes PE section rights) 21->64 66 Detected unpacking (overwrites its own PE header) 21->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->68 26 dcebi.exe 2 21->26         started        signatures8 process9 signatures10 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->70 72 Tries to steal Mail credentials (via file access) 23->72 74 Tries to harvest and steal browser information (history, passwords, etc) 23->74
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1c24ae77d5605d4fa7c779ca4d720869a66bf3832bcca3c8bb4f3bf20b97575/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 13:40:00 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3ee4e620dd7cb6d8a6f604e5653a4f5cbf1258032ffc7d13ae9a415c672a5713
AgentTesla
4b19e25b2907338e5919fb760324260035c71761de65fc94e8aaf74ed1154d6b
AgentTesla
4f6160e4c934ebea2ec7628b06c97b7995d0b4378f817adfadb15c90c3edb202
AgentTesla
50f90f15051f6b67b24f50b1f339e8eb40a513ce175f5ce12f6f2a7341d1785b
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90
AgentTesla
b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb
AgentTesla
c27ee7916b7471bc3bf38a4ce92bb3075972ec46814f3ca0d71dbe24dc495e7d
AgentTesla
e7554bfc25c557b696437cd884bced4c34fcc391262c1c26096f43a2db3ad6da
AgentTesla
fc166af65772a1d1402c921cd81c5711d1e49abdd78e08ecf546626974d57314
AgentTesla
+ 5'124 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210519-x4mjj7lpzn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies system executable filetype association
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Neshta
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1c24ae77d5605d4fa7c779ca4d720869a66bf3832bcca3c8bb4f3bf20b97575

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/158805/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 21:01:10 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
1) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
2) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0046] File System Micro-objective::Create Directory
5) [C0047] File System Micro-objective::Delete File
6) [C0049] File System Micro-objective::Get File Attributes
7) [C0051] File System Micro-objective::Read File
8) [C0050] File System Micro-objective::Set File Attributes
9) [C0052] File System Micro-objective::Writes File
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
12) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
13) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
14) [C0042] Process Micro-objective::Create Mutex
15) [C0017] Process Micro-objective::Create Process
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process