MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c88032e143d99f2df5aeee4fa79c1290f6dae068d4b254053bc33a6b3dc53a7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c88032e143d99f2df5aeee4fa79c1290f6dae068d4b254053bc33a6b3dc53a7f
SHA3-384 hash: 04d101635e185761e11d0a22ee457674c896f6e065c1c5ef12377b36091f7cd1461688f002d130a6cdfba8366917273d
SHA1 hash: 20051f76d9e6c509166680bf0ee05375d22c2105
MD5 hash: f01c4009f334c8f664fa7362ce0ecb8b
humanhash: princess-fifteen-moon-berlin
File name:PO19427.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:998'912 bytes
First seen:2021-01-19 15:04:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:XobbEmRkQMo6GeJwAmmtyDYe5i3iGtXEL9wwYelO3cye8mSy36MpY15ze4y/OTu8:VLVYO3pTAYf1T/8/sLcVYYyxOg8XBg
Threatray 11 similar samples on MalwareBazaar
TLSH A925275427AC8F94F2F987F812639A8093B72D0B921AD64E4C923DF6367DF830945787
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO19427.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 15:06:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd0f4674-5436-4315-b9c3-43391da92543

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112925/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/585194
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341628 Sample: PO19427.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 55 smtpauth.earthlink.net 2->55 67 Found malware configuration 2->67 69 Sigma detected: Scheduled temp file as task from temp location 2->69 71 Yara detected AgentTesla 2->71 73 7 other signatures 2->73 8 PO19427.exe 6 2->8         started        12 MfMrl.exe 5 2->12         started        14 MfMrl.exe 2->14         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\QfPCeWwQflEEtQ.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmpC942.tmp, XML 8->39 dropped 41 C:\Users\user\AppData\...\PO19427.exe.log, ASCII 8->41 dropped 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->77 79 Injects a PE file into a foreign processes 8->79 16 PO19427.exe 17 9 8->16         started        21 schtasks.exe 1 8->21         started        23 PO19427.exe 8->23         started        81 Machine Learning detection for dropped file 12->81 25 MfMrl.exe 14 2 12->25         started        27 schtasks.exe 1 12->27         started        signatures6 process7 dnsIp8 43 smtpauth.earthlink.net 207.69.189.204, 49746, 49747, 587 WINDSTREAMUS United States 16->43 45 elb097307-934924932.us-east-1.elb.amazonaws.com 54.221.253.252, 443, 49745, 49748 AMAZON-AESUS United States 16->45 53 2 other IPs or domains 16->53 33 C:\Users\user\AppData\Roaming\...\MfMrl.exe, PE32 16->33 dropped 35 C:\Users\user\...\MfMrl.exe:Zone.Identifier, ASCII 16->35 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->57 59 Tries to steal Mail credentials (via file access) 16->59 61 Tries to harvest and steal ftp login credentials 16->61 65 2 other signatures 16->65 29 conhost.exe 21->29         started        47 192.168.2.1 unknown unknown 25->47 49 nagano-19599.herokussl.com 25->49 51 api.ipify.org 25->51 63 Tries to harvest and steal browser information (history, passwords, etc) 25->63 31 conhost.exe 27->31         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c88032e143d99f2df5aeee4fa79c1290f6dae068d4b254053bc33a6b3dc53a7f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 15:05:07 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcadfykd3gps35no5zh2phassd3nvydi2szfibj3ym5gwpofhj7q._file
Verdict:
unknown
Similar samples:
03d24a095ae2fbaf26f5535638ff731fd3eb89f2767359ef1df108bdfde5359d
AgentTesla
182fd1343975d43f456f199f379210d562d15ea3c8e4c7bd59899d75c18a2fe9
AgentTesla
3013607bfee8bcca1767c2a33cea94602e3c97baba31f96fc8a08014cf2576b4
AgentTesla
3dd4c0a246882a35140b2476292a4070038e90755d0f9d9da65daa06a99880f8
AgentTesla
5844c46897bed7fe14055a67a96610d8f81d68af270d698a600bb234bf813653
AgentTesla
7d616629dceb30f4c3f4dec759fc0e802371115a1e8cd289aa731555df6be3ae
AgentTesla
7f7afb406c8f911f21354b2ea60fd688ce8083ed0ab10156c6f3421d927d2fab
AgentTesla
8fe13da45a5732ae42c27687b9cf9105a3f2028857729bdfbe3ae31514a6b298
AgentTesla
b063e0814954e1b53983884c2058fcaaf2f28b37b7898689cbf55454d7bc2c3d
AgentTesla
cc26bac0f47c7d3853f301243a6cca755b3eebd571133ddbb247998caa8d8682
AgentTesla
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210119-yzvdq6gy4x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
d50631bbc912f48210d395b15e0d00a15221b98a0cf6a8016f3c9c7b7917c928
MD5 hash:
328dfa55c7fd89131794f1d10b597b47
SHA1 hash:
2b2989f368be67af656cd322316e3386d6301ff2
Link:
https://www.unpac.me/results/1cd382b0-88ef-453d-821c-69c81a49298c/
SH256 hash:
22025207c38e98b8ab93ba7c2e4bd8ea00e7e72278a34faf7934fc502eea121a
MD5 hash:
8c0845ffba9bfc054c529051a30691bf
SHA1 hash:
c9295ff47b24864123d0811f348cf265f810ab22
Link:
https://www.unpac.me/results/1cd382b0-88ef-453d-821c-69c81a49298c/
SH256 hash:
0772d65f1a3ccc5969e7e2230b49a497fb24813130b31bd934ba57a2f6cae1ad
MD5 hash:
d6314010bbae2126283e0c69b3bfd146
SHA1 hash:
025f5a0e86d29a84fd221e09411232e21124cdea
Link:
https://www.unpac.me/results/1cd382b0-88ef-453d-821c-69c81a49298c/
SH256 hash:
c88032e143d99f2df5aeee4fa79c1290f6dae068d4b254053bc33a6b3dc53a7f
MD5 hash:
f01c4009f334c8f664fa7362ce0ecb8b
SHA1 hash:
20051f76d9e6c509166680bf0ee05375d22c2105
Link:
https://www.unpac.me/results/1cd382b0-88ef-453d-821c-69c81a49298c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c88032e143d99f2df5aeee4fa79c1290f6dae068d4b254053bc33a6b3dc53a7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a37c94acf19ea3ed755b3f0dcc35362034c90b4a4b837a4e5f9eb96aa560ef85

AgentTesla

Executable exe c88032e143d99f2df5aeee4fa79c1290f6dae068d4b254053bc33a6b3dc53a7f

(this sample)

  
Dropped by
MD5 4212a3a50be36aa8561d6a59b0ba0169
  
Dropped by
SHA256 a37c94acf19ea3ed755b3f0dcc35362034c90b4a4b837a4e5f9eb96aa560ef85
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112925/

Comments