MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c318857da1742a724a2576b5cb92fed1a22d32d6354085227c7d43ff824a58ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c318857da1742a724a2576b5cb92fed1a22d32d6354085227c7d43ff824a58ef
SHA3-384 hash: c3c0c97f2e4603dac318e55bb55c9ecbf821e520d794c8d5cbbf062a1a5d0bb8264b4d5d593230c1996ff295a57e8652
SHA1 hash: 1a134213e5089c58d6d27822046e82339f411423
MD5 hash: 22a5eac38c99cf5a095a5f9558fb03d9
humanhash: pennsylvania-ten-river-seven
File name:22a5eac38c99cf5a095a5f9558fb03d9.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:676'352 bytes
First seen:2021-03-13 08:20:00 UTC
Last seen:2021-03-13 09:48:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:srX/o2sJn/Zl2wCmgCjgXHNZGcN4p82R1Ks:9/ZURLNH4p8E1Ks
Threatray 3 similar samples on MalwareBazaar
TLSH 36E4AE243AFE9119F177EFB94AE074969BBFF6732B07D41D2491038A0613E41CE9163A
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Virus malware.w97mdldr.agent.cmmmc New Enquiry -RFQ21030587.msg
Verdict:
Malicious activity
Analysis date:
2021-03-13 06:54:08 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader rat agenttesla
Link:
https://app.any.run/tasks/a5760ddb-f1a2-48a4-b107-d76519e065d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124068/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36492031.29777.1379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/638510
Signature
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368232 Sample: IcrI297v58.exe Startdate: 13/03/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 Sigma detected: Scheduled temp file as task from temp location 2->32 34 8 other signatures 2->34 7 IcrI297v58.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\...\HqEeDhquZqBCg.exe, PE32 7->20 dropped 22 C:\...\HqEeDhquZqBCg.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp4A91.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\IcrI297v58.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 IcrI297v58.exe 7->12         started        14 IcrI297v58.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c318857da1742a724a2576b5cb92fed1a22d32d6354085227c7d43ff824a58ef/
Threat name:
ByteCode-MSIL.Trojan.Bomitag
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 23:42:29 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymmik7nboqvhesrfo224xex62grc2mwwgvaikit4pvb77askldxq._file
Verdict:
unknown
Similar samples:
8c248038f6045835d77fe9f89698aafdc26a2644c89bc8cef54c13a9dceff4a2
AgentTesla
ae51307a504c0f6f85b4df8b639d2b5694309158427d81ecd59b577cb5bcbc0e
AgentTesla
ddb331bdf8cdf8a3dfce4e48e1939e50dab2db303b5780511e8d3dd7006e1b94
AgentTesla
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210313-lpcxrsrd2x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
da3a99534824255ff1ec7683cc02bb4de7086b7ac0d4b69205434638c50510b3
MD5 hash:
ca7979e7723dfb802f49395076754b11
SHA1 hash:
3143a40ad67116cba11d167dc1eaffed6fce4b07
Link:
https://www.unpac.me/results/115bc9c0-59d2-4b93-b678-a0c8836eaa58/
SH256 hash:
c318857da1742a724a2576b5cb92fed1a22d32d6354085227c7d43ff824a58ef
MD5 hash:
22a5eac38c99cf5a095a5f9558fb03d9
SHA1 hash:
1a134213e5089c58d6d27822046e82339f411423
Link:
https://www.unpac.me/results/115bc9c0-59d2-4b93-b678-a0c8836eaa58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/c318857da1742a724a2576b5cb92fed1a22d32d6354085227c7d43ff824a58ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c318857da1742a724a2576b5cb92fed1a22d32d6354085227c7d43ff824a58ef

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/124068/
  
URLhaus
https://urlhaus.abuse.ch/url/1060977/
  
Delivery method
Distributed via web download

Comments