MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c22dac65ca71dda0a712ea5bf6c959c2dcd620bc47172dc59cf1fb28a28dcbc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	c22dac65ca71dda0a712ea5bf6c959c2dcd620bc47172dc59cf1fb28a28dcbc2
SHA3-384 hash:	7da404e19cbacfb834b90ff662089ed5c38aaa063a252dd3f35807fafd818b73149fc8b3a60953690dc2b68875644069
SHA1 hash:	d22f1a81fe03dc18717ae0647227e5833365df9f
MD5 hash:	0566bb02b906ad4e468a5e107cd046dc
humanhash:	timing-nuts-cup-neptune
File name:	Customer Order, Images, Spec.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	308'736 bytes
First seen:	2020-12-16 07:55:57 UTC
Last seen:	2020-12-16 10:06:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e06d0f4fcf3872d57a0853ffeb036a8d (2 x AgentTesla, 2 x Formbook, 1 x Loki)
ssdeep	6144:TmVv7sMTnsGkvAhy0qMcN4EdAfOeReWO3ONjuPlC64pnByX2NkKN5:TY6G2tNx4Q0JRpSON+CZpByX6f5
Threatray	1'910 similar samples on MalwareBazaar
TLSH	8464230FFD5062EBFA413BF297BBC239E4730AF06305D4C61979A67668BE8005F92465
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Customer Order, Images, Spec.exe

Verdict:

Malicious activity

Analysis date:

2020-12-16 07:56:58 UTC

Tags:

rat agenttesla

Link:

https://app.any.run/tasks/28ac42c7-fa99-43ea-a07c-faf2f219aa8b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108261/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.25880.15196.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a window

Using the Windows Management Instrumentation requests

Sending a UDP request

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/564094

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c22dac65ca71dda0a712ea5bf6c959c2dcd620bc47172dc59cf1fb28a28dcbc2/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2020-12-16 05:01:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yiw2yzokoho2bjys5jn7nskzylonmif4i4ls3rm46h5sriunzpba._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

228fe441663bba29232efd41520bef1ab0d2edeed96e106526ba9193794eb394

AgentTesla

39abc161bea9d6cf4334eab2631bce686feeaa84ff68bfe4cd05e16f4548f06f

AgentTesla

4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3

AgentTesla

88940cdb5af43de1c9f192bcc96bd258f5632e40c04db36ecff072516821794e

AgentTesla

badf7e8ef826b51aaa028ec3a296f7b9432474d8b6377552f0dcbfd520c0df47

AgentTesla

bee3c64a4d3862a54f11a05303fb39c9768891841673269e477d0d87ec1862e2

AgentTesla

c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc

AgentTesla

e6efc787bb6b6506150aca14be1966713c7a28f55788af42902e500779818228

AgentTesla

f36eeb335a9d18ff16f6b1869f45a0f81d44f93706fd2d39d4568d8d2e694ca3

AgentTesla

+ 1'900 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201216-94ck2phn5n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

c22dac65ca71dda0a712ea5bf6c959c2dcd620bc47172dc59cf1fb28a28dcbc2

MD5 hash:

0566bb02b906ad4e468a5e107cd046dc

SHA1 hash:

d22f1a81fe03dc18717ae0647227e5833365df9f

Link:

https://www.unpac.me/results/d4ac2e7f-fe0e-4046-9d16-6c8ad9d3a1a6/

SH256 hash:

13bde662654fd1d0193fc2a7455bac47ce7ea50664d034e851935201f7dc1ad9

MD5 hash:

f1dbc54667c808769717e6725bf68dc5

SHA1 hash:

d4ac845a5562735b51907a0d44e3f6f33d1ea5d0

Link:

https://www.unpac.me/results/d4ac2e7f-fe0e-4046-9d16-6c8ad9d3a1a6/

SH256 hash:

179984b0900047aa2b2c340e1e05183fcb02654822dc9f09d78dfdaca3cbaa7e

MD5 hash:

bc9f12ac3aa7cc31f51e6ddcfcc308dc

SHA1 hash:

f0892cdff24bcf447acae8df948a3fe0f4aaf216

Link:

https://www.unpac.me/results/d4ac2e7f-fe0e-4046-9d16-6c8ad9d3a1a6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c22dac65ca71dda0a712ea5bf6c959c2dcd620bc47172dc59cf1fb28a28dcbc2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip cbfeb7245db426440564cc9de2987213b2832fc13876d58864ea9d9774162f60

AgentTesla

exe c22dac65ca71dda0a712ea5bf6c959c2dcd620bc47172dc59cf1fb28a28dcbc2

(this sample)

Delivery method

Other

Dropped by

SHA256 cbfeb7245db426440564cc9de2987213b2832fc13876d58864ea9d9774162f60

Cape

https://www.capesandbox.com/analysis/108261/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample