MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a
SHA3-384 hash: eeba60eea3cb188299ee07654eab7f90c06bd6fd68997a34f10a77fb91bcd0ed3e9f3f73bb589e36600e3c4360809d1b
SHA1 hash: 7353b7c4554027818674ddec42cf1e17018d7798
MD5 hash: 131976b2ccb4c372baa99c242c197806
humanhash: jersey-golf-steak-orange
File name:Sars Document.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:122'088 bytes
First seen:2020-10-21 09:12:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:JimLJHZxKIOnFyPEttSaMgbRSsGRTVdZO8CA1eYoMh479oFvJdzyeUfbH:d5x6n0rgSdZOa7eIdzU
Threatray 721 similar samples on MalwareBazaar
TLSH 09C308296BC864B7D9BF62385CFB450007F6B983F671C93C4D8762D84962A41BF0276B
Reporter abuse_ch
Tags:AgentTesla geo SARS scr ZAF


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.htargetgroup.com
Sending IP: 185.247.119.155
From: noreply@sars.gov.za
Subject: SARS eFiling Letter Notification
Attachment: Sars Document.z (contains "Sars Document.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Artemis131976B2CCB4.22180.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505523
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 04:45:34 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbvxvb7mtfaafj7y65m44n3dhyxl7trsy4t2x4tldsgnjmzpbqna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527
AgentTesla
0d708c83b36fe0c753363337dcd0a940e8e9ce2927a9847e56deed6b98fa5b5d
AgentTesla
1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e
AgentTesla
3c85e3f78145e29fc8f45fb72d497f856cc1dd054d34d2588d306cb96f30e29f
AgentTesla
83c594ac88f5f244b256a60178ece0bf715c3c4ef0d93973ff0a741453b71ba1
AgentTesla
95b6a02e3bfccd61edaa3f291e2daaed0ee8852a80f26ac7ecb6a1ed7c416845
AgentTesla
97a4e627e5182df35863f15f757d3de6f98fb7f3d94664a751df46a9d0b1eb8a
AgentTesla
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
c5a6b816ef66b1c222ca59df4e8e75eed744b3d758430eef345c78e9417aa138
AgentTesla
+ 711 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/201021-9sm4h1z8we/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a
MD5 hash:
131976b2ccb4c372baa99c242c197806
SHA1 hash:
7353b7c4554027818674ddec42cf1e17018d7798
Link:
https://www.unpac.me/results/f497d040-b7c4-4957-acd2-bfd8adbddf70/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 73b35b2597fef1639852e549c4b03e13a45ea3921a5fcd77489bcabd851c912c

AgentTesla

Executable exe c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a

(this sample)

  
Dropped by
MD5 6821f3d924513e0809659251248c3993
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73932/
  
Dropped by
SHA256 73b35b2597fef1639852e549c4b03e13a45ea3921a5fcd77489bcabd851c912c

Comments