MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2915b4dd61e16f6da8aeb380a2732bdba70764af261819afa71e83481333004. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2915b4dd61e16f6da8aeb380a2732bdba70764af261819afa71e83481333004
SHA3-384 hash: beab5b799df6b6b4fcfd20c968cc80531b4540b31e7c6b6f45c48055fe99a0a19d88a5c502fb6df805e7d853526603b5
SHA1 hash: c353767cdc404dcdbe931f896da88c3eeb608a8a
MD5 hash: 5e237ab5a301c8df8770d5187ad32ff9
humanhash: july-carolina-low-speaker
File name:Images for New materials H12Etxknwemhib9.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:155'648 bytes
First seen:2020-11-06 09:53:50 UTC
Last seen:2020-11-06 11:58:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:m6j1i1MFtaa8ahx2t1dRtKn3meRLd142qF7bsa7xqzP0GZ9vsyW5FuS3sERe+hlz:m9lwrSkJ8EAmjc+8
Threatray 133 similar samples on MalwareBazaar
TLSH F7E396F4A46F8891F41B857129ADBE6000B37D8FDAC55E0813ADF9323BFA352394594E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Apinya Intarabudh <Apinya@ecandes.de>
Subject: Pricing for materials (New order)
Attachment: Images for New materials.img (contains "Images for New materials H12Etxknwemhib9.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.19710.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/522313
Signature
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2915b4dd61e16f6da8aeb380a2732bdba70764af261819afa71e83481333004/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 10:43:20 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ykivwtowdylpnwuk5m4aujzsxw5ha5sk6jqydgx2ohudjajtgaca._file
Verdict:
unknown
Similar samples:
10532b67aa0e421cbd04f79e1da3829be0d0a2ca5feb939f4962c7b2f79353c1
AgentTesla
1d41e76da681ad17d46ff9a1fb6f59afb00a8e96df9f2adf42634f05849e6fd2
AgentTesla
1f63aff33db6b9a2920969f2f8d4ccb92f745596881cfa3fc9f651162aa43e88
AgentTesla
2800f779fcf9eb82626c08e19c5c2a46a149a1a0d046ef79c6c9ac1a44c6017e
AgentTesla
334ab59399997e54878083e726a2dbc5d41f844025742b4ea35921a93bf24d68
AgentTesla
b22d33b348ba648c5f39061bb4e743ed6a52dd57720de34902c093a2f2ac97ab
AgentTesla
c35d8629ac725a6fd6bc953e5f86e4fa1b8a3680b367b52b33880ddeaa7492d4
AgentTesla
c5216e025f487ad72623e702871432afa40739fc1d2b24fca4bcbd7f009d0064
AgentTesla
d6b834570825a606942ff096f5ad3df33f58082be5a68bab447bc9af4b114e95
AgentTesla
f089cbd6d20afda4f1e00ed09abd44c9f271c8db61bbb1ce07048fadda34b1ec
AgentTesla
+ 123 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201106-l39eq74y7n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Legitimate hosting services abused for malware hosting/C2
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c2915b4dd61e16f6da8aeb380a2732bdba70764af261819afa71e83481333004
MD5 hash:
5e237ab5a301c8df8770d5187ad32ff9
SHA1 hash:
c353767cdc404dcdbe931f896da88c3eeb608a8a
Link:
https://www.unpac.me/results/ffec0192-38b6-49b4-bf3d-18ea65151c65/
SH256 hash:
98ea3bf133d9e8482e9a4c918f6caf23b10c5ea680443e8591386cb02bd312ce
MD5 hash:
a7859e47a721f648abc4d24defbd8391
SHA1 hash:
44154b85ad39a61e5213b14be508b6841d737bda
Link:
https://www.unpac.me/results/ffec0192-38b6-49b4-bf3d-18ea65151c65/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 40f3c2e87b7c001b8fa3e18856d007cff87e3d86904117981dabb86665e73fb5

AgentTesla

Executable exe c2915b4dd61e16f6da8aeb380a2732bdba70764af261819afa71e83481333004

(this sample)

  
Dropped by
MD5 b2fa48a0bf0548d15399a3227ec3718c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 40f3c2e87b7c001b8fa3e18856d007cff87e3d86904117981dabb86665e73fb5

Comments