MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c34c8a2a933cd27ec21c936bc1b719d0447e65251944e6eef8fb16240baec8e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c34c8a2a933cd27ec21c936bc1b719d0447e65251944e6eef8fb16240baec8e9
SHA3-384 hash:	6b0e2d47f0b3743676426b73ae95b612552eb1bad24d489e58254907ceab20a906f01123fea3abadb2aa1886133f7ac6
SHA1 hash:	73a0d215467a5fa27d4a65878de46d32d73a1010
MD5 hash:	353d3a47a9ac7f6338a2ceb5fe66392b
humanhash:	connecticut-network-dakota-quebec
File name:	Revised Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	600'064 bytes
First seen:	2020-09-21 16:37:26 UTC
Last seen:	2020-09-21 17:46:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:HTp++r7BwrDi4VmGru6+pPYQ87yS+mHI4UNc:HTpRr9/wru+haO
Threatray	129 similar samples on MalwareBazaar
TLSH	5CD4AC1532A13F4AE0B94BF00295B4B2C3B624417626D3987F8761FD66F4BD07E29B4B
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/64024/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34561641.21692.1434.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/471513

Signature

.NET source code contains potential unpacker

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c34c8a2a933cd27ec21c936bc1b719d0447e65251944e6eef8fb16240baec8e9/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-09-21 07:22:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yngiukuthtjh5qq4snv4dnyz2bch4zjfdfcon3xy7mlcic5ozduq._file

Verdict:

unknown

AgentTesla

1eb61b56f976e2b47aa77a2e84c86dd7050369f99b54f767ae9d5448c53c6294

AgentTesla

51e3cf774d8490cfcea0d466b00817753386ff02cf3aa35e63a785f61df2883e

AgentTesla

54d6acb8484b5a951614ee5fdfccac3a6c12fb79047dd92d3915d5237fd9dc51

AgentTesla

7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873

AgentTesla

7338f4c2a83414de28a32d8d91bd61b5dda78b660c70dc82f53a68a06fa67182

AgentTesla

93d22d39577ab983c75badd9019b57420a4e2bfc300d6a37d90885d823396058

AgentTesla

9e3a94f237c30841d45f04d73fb46e31b3fa5c5f45a6b49b5acd8aaf9f0b748d

AgentTesla

c18d20986c78642ced7ac827d0436033e931d6bfad38b70ab4473cea1da792a2

AgentTesla

cb1b1d99cbf6d7bb1a30ec1c7ee31c36b8e19230751046688ad1a14b2fec4758

AgentTesla

+ 119 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

evasion spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200921-y57hzxd3zs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c34c8a2a933cd27ec21c936bc1b719d0447e65251944e6eef8fb16240baec8e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/64024/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample