MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef
SHA3-384 hash: f6980a3ca6dc2eeebf21325e053ef56070f4e7ba1fbb469350714ad7c33300c288330ddf1b15d0ea1e1eaff9bbe95953
SHA1 hash: 505cea96f52313834d4558265b240ae1cfa97f21
MD5 hash: 6190282afdf5d0935f58381bd4d1bdf0
humanhash: cold-golf-south-fanta
File name:PO_1012000007.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:649'216 bytes
First seen:2020-10-12 07:31:52 UTC
Last seen:2020-10-12 09:03:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PJXq2IAtadN8o+dJog3vKf9ZJpU4Ud+7ykPjAJd0:PJlPL3+9NeIyMjyd
Threatray 452 similar samples on MalwareBazaar
TLSH 5DD4F13123DA9716E47AF3FE4120245037F2E401D326DA297DC5829E1A2EFC5CAA6F57
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69985/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/488115
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296516 Sample: PO_1012000007.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 80 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected AgentTesla 2->19 21 Yara detected AntiVM_3 2->21 23 3 other signatures 2->23 7 PO_1012000007.exe 3 2->7         started        process3 file4 15 C:\Users\user\...\PO_1012000007.exe.log, ASCII 7->15 dropped 25 Injects a PE file into a foreign processes 7->25 11 PO_1012000007.exe 2 7->11         started        signatures5 process6 process7 13 dw20.exe 22 6 11->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 07:33:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zb2bvuytbok5dx3af2m62zkitx3yram5vpuja7zkisizp2f2s7xq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
264ad4ce9b883fe3ff074ec43f796c1a496da7647bad4bd70c3c905b2dc22711
AgentTesla
2f02f87bd00996719cd97c827f1bd4578033a03d7e3884ec18ec0eca32cee516
AgentTesla
36f888cfcc5ca73bed330401ff231b38012baad656797b803d51157ee2252177
AgentTesla
6564b76eec49b15e7a3f42b48fedca593b48e5f145863dd16ea519b3bcf09e60
AgentTesla
8f1df804a5fc826de1487d95db7e15faede754cd925132f7e920fd712e154208
AgentTesla
c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c
AgentTesla
eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f
AgentTesla
f4468ef3eb4ae6445b097b0200d918ae0e1bba94b8c4c613031e2aab32c9f083
AgentTesla
f924ed04e2ce70872e8e341379288a15579ade521df2e4d248054fe2d9357ee2
AgentTesla
+ 442 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201012-d2qnd246fj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef
MD5 hash:
6190282afdf5d0935f58381bd4d1bdf0
SHA1 hash:
505cea96f52313834d4558265b240ae1cfa97f21
Link:
https://www.unpac.me/results/02cdab06-e6c6-44fe-8520-8564aa1c037a/
SH256 hash:
15ecb6ba26a884f8c062fd99f8dd2b9829ebcbdb083d14cb1066ffb111b419ab
MD5 hash:
e6899a1c4bb6f85c690b2067a30a249f
SHA1 hash:
772b9ee763df8054fba692d04abf17cbd4a71f30
Link:
https://www.unpac.me/results/02cdab06-e6c6-44fe-8520-8564aa1c037a/
SH256 hash:
ca3aa94095586487db82a4a8047968283268c0adf774f2f75b848ea66be4eb4f
MD5 hash:
4ee2ea995afd39893f7466d93daeac1e
SHA1 hash:
11f6932d45355a9d3690364331772ba8cfd037e8
Link:
https://www.unpac.me/results/02cdab06-e6c6-44fe-8520-8564aa1c037a/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/02cdab06-e6c6-44fe-8520-8564aa1c037a/
SH256 hash:
120bb2d28ebceeea14dee66cc5ef31a8fabd84c05927e422ed862acc3a10361f
MD5 hash:
23c2901b7c232371b1dce5e2279d2568
SHA1 hash:
5677f535d12b6aba774692b1f5e7c6ba265c1a0a
Link:
https://www.unpac.me/results/02cdab06-e6c6-44fe-8520-8564aa1c037a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69985/

Comments