MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9
SHA3-384 hash:	4c17a5f2a5c04d160a416b78235e487e4ae59917029d99be5c1979a36cf9dcb453eaf41933bb7c12c1cba765fb1d613d
SHA1 hash:	d38c410f285e114d70375d1b4c34adbee094e3c4
MD5 hash:	6ee206cc7a0260684ddb8073ac0dd2ba
humanhash:	mirror-happy-music-green
File name:	Shipment Details.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	881'664 bytes
First seen:	2020-09-28 13:49:21 UTC
Last seen:	2020-09-28 14:46:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:iyBtjP6eP9XMjfcXBAYOIfJCUwrx9oRC+CJyymGa3+vtHhinklA3PW6jHBq:iyBtjP6+8jUXBAnIfJ29oR0HXVHRS
Threatray	206 similar samples on MalwareBazaar
TLSH	2715F0DAEF446A35D1AE2E7D50B0BE9E13FDD5272E42D32945B3F4894A322800F11ED6
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/66434/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.56155.25781.26190.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/476463

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2020-09-28 04:47:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yshdl6h4vpji4nmyfbzufxod6pji6jgwiflynkmam5ouk3qig34q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3e8e7c9ebb8ae4bbb723e1974f176f8cb82ec0fb4e1890ee1f4feed08ae76058

AgentTesla

426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2

AgentTesla

65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1

AgentTesla

68830a24fb818aea27e54e97f4dec890d751166eecb7c02ea3cb03c823e5fe65

AgentTesla

9029fc110d6ad30af1c140d2c7af2192b17c04986ba7bacebed72d58c84241a7

AgentTesla

b90e648ea2d913c493765798db8d443a355bcba18f973c5957e5f959ad794a60

AgentTesla

c9c89543724cc2517b6f7a873f9c33cc055c237829c65a268dbdf64a21b4dd95

AgentTesla

cd1330f16e6849546ee8b46e8a81ce9fe10a70c1377e2179e71151df6bd9379c

AgentTesla

e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07

AgentTesla

+ 196 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

evasion spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200928-qmgdsnrs8s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Unpacked files

SH256 hash:

c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9

MD5 hash:

6ee206cc7a0260684ddb8073ac0dd2ba

SHA1 hash:

d38c410f285e114d70375d1b4c34adbee094e3c4

Link:

https://www.unpac.me/results/13faac3f-2a94-44c4-8b49-ccde974bc509/

SH256 hash:

9a1c53a54fb6717e16dd767c482bb20215f9e97d555fe36c561bbc4b49f8e098

MD5 hash:

6c15cae6755058a6b0ca8c5b3d53145a

SHA1 hash:

32e99d9bc2389bfe625c12e65d9f64a433a05a38

Link:

https://www.unpac.me/results/13faac3f-2a94-44c4-8b49-ccde974bc509/

SH256 hash:

720a4396ccfa5c4a664e8f51ea8a3ee10f8b8fa7e912f4209dab5a2e3a9094d7

MD5 hash:

d4deb7229a2ec390290d4754b8a5ab08

SHA1 hash:

bdedb0f77d34646899229ff3f1a88fb7b47d6463

Link:

https://www.unpac.me/results/13faac3f-2a94-44c4-8b49-ccde974bc509/

SH256 hash:

729a1b125fb330463c22a87c061e384300f49bd9d6793836bb3e52bcb61cc03f

MD5 hash:

ac3f427e66b28b013b0b651c2f71d1e9

SHA1 hash:

ddf8b4b1d36aced75740632b41d30add06b5db3d

Link:

https://www.unpac.me/results/13faac3f-2a94-44c4-8b49-ccde974bc509/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Gamarue

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/66434/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample