MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1d8a5609784204c52e0983eab129b809e6fdba68361b22ace4e7e973cdd3468. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	c1d8a5609784204c52e0983eab129b809e6fdba68361b22ace4e7e973cdd3468
SHA3-384 hash:	9851cec8f1a62b582091e366ba78b01cb766160249fdc2edd29ab16bd90a6337f671ae1287a755a538520e3cd7855e29
SHA1 hash:	288a6406bb8cad0b5c046fb16d7f478638aec779
MD5 hash:	6b20ac533bfad1c5e1e9538f6beea571
humanhash:	oklahoma-queen-winner-steak
File name:	TT_Coppy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	387'072 bytes
First seen:	2020-11-12 05:43:16 UTC
Last seen:	2024-07-24 21:10:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'799 x AgentTesla, 19'718 x Formbook, 12'278 x SnakeKeylogger)
ssdeep	6144:hYPf1/6ffunyWsJ8stFFvB1HVDXFLqsP5TxM+xAlb8:hW9/jw8stFF3HbLNwoA
Threatray	22 similar samples on MalwareBazaar
TLSH	BF846DBA7DA6547ECA6A0777106487C2FA7A37C63B908B0D758E430C4E11B1FAB13647
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Artemis6B20AC533BFA.11327.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/531832

Signature

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1d8a5609784204c52e0983eab129b809e6fdba68361b22ace4e7e973cdd3468/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-12 02:46:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yhmkkyexqqqeyuxata7kweu3qcpg7w5gqnq3ekwojz7jopg5grua._file

Verdict:

unknown

AgentTesla

3a080bd2bc175ba929ce56ebeb07c3603d63a968eca9d74e8ad76a66e59988a1

AgentTesla

3f28fd2c56f0bb9501f62fa64c71f6475d7cca2ee1908e097febdfc5516358ed

AgentTesla

56fe97a0d2334b6f2a0c6d40551a3a53895ec976e33cf45a57f3d929c22c7e43

AgentTesla

70048d51529f09683d5180eb0e410297fa0332f155e213ebefc8fb750389177f

AgentTesla

7a41a1a3587338cb69ba10c46950176faf9dabd938ddb9ad7dfeb65d2b79c96e

AgentTesla

8d98cc9cafea7bf31e27287f1002cbade82ac19f44d2b12584598509b8b10c99

AgentTesla

a7c66c4f2c290ea9dfd03b06c9d196448e81a81dbf85f2e85b34858c5dcdb85d

AgentTesla

c5886cce4cccd324633b1f7d2d7a007a238550d8174cbed7703aa9088db51ab3

AgentTesla

e33cc945d6b0681de6b34b52f0cb609676cdf5f3ecf61f4122b64d7a7e74b5ca

AgentTesla

+ 12 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201112-4wcw9rdhn2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

b2daba8bd9bd8180b3a3f99be8b5c5341cf5393d09c3975eaf8cc25fd6c004fe

MD5 hash:

157dbc7d2a3ff1c46eeddea60af1a3b4

SHA1 hash:

4c501dec940f11fb180224faceff33617f5b98f4

Link:

https://www.unpac.me/results/741d5266-660d-4796-b3a7-9f9061001b0e/

SH256 hash:

556c97866647387ce381539e18bdfc496c340de60b2c941b74052841622e845b

MD5 hash:

5318e1caf9a4e72731afc22520f74ed3

SHA1 hash:

af8b8213ee4a3b19fe93a15b1e588353d9544d02

Link:

https://www.unpac.me/results/741d5266-660d-4796-b3a7-9f9061001b0e/

SH256 hash:

c1d8a5609784204c52e0983eab129b809e6fdba68361b22ace4e7e973cdd3468

MD5 hash:

6b20ac533bfad1c5e1e9538f6beea571

SHA1 hash:

288a6406bb8cad0b5c046fb16d7f478638aec779

Link:

https://www.unpac.me/results/741d5266-660d-4796-b3a7-9f9061001b0e/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.