MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c951087e608e78b4ba80b230c285b8052ac7b64ccc244a612d6ec5d1ea3c65f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c951087e608e78b4ba80b230c285b8052ac7b64ccc244a612d6ec5d1ea3c65f9
SHA3-384 hash: 1948113e8b9d1de3baa15f10b50d9f42cf6bdf08ee461a5e3453e9fb402e5656ee528476bd347672b1906dedbd1f6a25
SHA1 hash: b1ff86e4c562609d58f627ff48430fe44663c8eb
MD5 hash: b361c27079403356c71d9133d0e4c3e6
humanhash: social-fanta-steak-butter
File name:accounts statement.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:615'424 bytes
First seen:2020-10-10 07:12:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:LHbAHiPd0e4n6T3rEpyQXMUEldxHR7PUZJ:LsCVL4n6TQLXM9Xe
Threatray 437 similar samples on MalwareBazaar
TLSH D9D4DEBF110C1B5BC56C057A4254900D4EECF8165DB2FE36EEEAB0A872D65CC6EC3962
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ns10.metro.net.bd
Sending IP: 103.36.103.52
From: Rajat.vinayak <rajat.vinayak@journeysexotica.com>
Subject: Re: Air Freight
Attachment: accounts statement.iso (contains "accounts statement.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69723/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487458
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296172 Sample: accounts statement.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 12 other signatures 2->47 7 accounts statement.exe 1 7 2->7         started        process3 file4 33 C:\Users\user\AppData\Roaming\FVQnEa.exe, PE32 7->33 dropped 35 C:\Users\user\...\FVQnEa.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpFBA0.tmp, XML 7->37 dropped 39 C:\Users\user\...\accounts statement.exe.log, ASCII 7->39 dropped 49 Disables Windows Defender (via service or powershell) 7->49 51 Injects a PE file into a foreign processes 7->51 11 powershell.exe 25 7->11         started        13 powershell.exe 20 7->13         started        15 powershell.exe 7->15         started        17 13 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 9 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c951087e608e78b4ba80b230c285b8052ac7b64ccc244a612d6ec5d1ea3c65f9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 06:02:59 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfiqq7tarz4ljouawiymfbnyauvmpnsmzqseuyjnn3c5d2r4mx4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3
AgentTesla
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
AgentTesla
3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337
AgentTesla
4107ae832e2a94dd12c11823472aba013b3d016efbc357526152a2e0d2d3ca88
AgentTesla
4bdce1c0f19e06fe3011983fd12202ca87b82016cf29422554ec1687e0ff377f
AgentTesla
63dfa06e060f866e2762247bd6f172422c735f8d6f4402bf4b709933c2d4da59
AgentTesla
6b5ade8c20a7aa1d53ae922e4e473b254a81e61055296736ab0d82f8a743203d
AgentTesla
c5a82d840d865ea9d1f28c5d58a676d47d76de746bbfbeecfd0569f9ae476bff
AgentTesla
cc87cc3cff16721cb3f7e6be1e5be62bcdacafd1fa70ec879c6a9c12a9b438bb
AgentTesla
f974f658397b27bbc57a78873cfbebe57a8ff2742fc9b8bc4a69bc6736625099
AgentTesla
+ 427 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201010-tj6qdp1gen/
Unpacked files
SH256 hash:
c951087e608e78b4ba80b230c285b8052ac7b64ccc244a612d6ec5d1ea3c65f9
MD5 hash:
b361c27079403356c71d9133d0e4c3e6
SHA1 hash:
b1ff86e4c562609d58f627ff48430fe44663c8eb
Link:
https://www.unpac.me/results/4efcf629-4d24-4f4c-ab5e-9ff996ff5d14/
SH256 hash:
64fa7bdea7b6e756880294c697c110dc9030865f8a7145c6c9a1dcb311409ef0
MD5 hash:
88a3c84964c41118f97b02bc5f6ab046
SHA1 hash:
016cbc346c9493541533231226f1696b9735a59b
Link:
https://www.unpac.me/results/4efcf629-4d24-4f4c-ab5e-9ff996ff5d14/
SH256 hash:
f864d9c3b4f70878270b6eaf9790f9ed2a9836c28a2f324f6ab5565f5fdd586c
MD5 hash:
39abfc843d5e7418806ef20f8466a397
SHA1 hash:
12f8457ad022e0c665a12d5e7e474a9ac455ec29
Link:
https://www.unpac.me/results/4efcf629-4d24-4f4c-ab5e-9ff996ff5d14/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/4efcf629-4d24-4f4c-ab5e-9ff996ff5d14/
SH256 hash:
850e15916b57482cc66f359214927955ccd572d1d4dccedd7d2ce942499b1d62
MD5 hash:
56402aed52d4dcccca3b19969e9978f6
SHA1 hash:
a365e11fa099a18488b228324eb9eb4418679512
Link:
https://www.unpac.me/results/4efcf629-4d24-4f4c-ab5e-9ff996ff5d14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c951087e608e78b4ba80b230c285b8052ac7b64ccc244a612d6ec5d1ea3c65f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso fdf19cc0213a10256576a4cebd06c2b2e2da9f74eeadec0525589f2202d6c2fc

AgentTesla

Executable exe c951087e608e78b4ba80b230c285b8052ac7b64ccc244a612d6ec5d1ea3c65f9

(this sample)

  
Dropped by
MD5 184a4af7aa6363ed074abb76332fbfd4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69723/
  
Dropped by
SHA256 fdf19cc0213a10256576a4cebd06c2b2e2da9f74eeadec0525589f2202d6c2fc

Comments