MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b
SHA3-384 hash: 7cb7c6da4193ae92654e35836b7241493e837e45eb17fba149deac7b35be7785a8f62c263105607e56b4f9d70c8a90a1
SHA1 hash: bcd5b9501ac838ee5a338bccea07a49c1e8d564b
MD5 hash: 78d2800f23f8895851622f3d62984d26
humanhash: high-item-edward-west
File name:Conakry_111120.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:780'288 bytes
First seen:2020-11-11 19:13:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 270bbf1087e39e0357f9ab6438b032cd (13 x AgentTesla, 5 x Loki, 2 x HawkEye)
ssdeep 12288:Y+FRaF5TTiWvSRRremdqRJf79pJ89QYwkmOtAFcKlVQVyu4I:dFs1iWvY383OG2mOtAuKlpU
Threatray 2'643 similar samples on MalwareBazaar
TLSH 4FF4AF23E2B14C37C173263B9C1B57A8AD35BE303D6898466BE45D789F39391B8192C7
Reporter fabjer
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Generic.mg.54d657c9a3d9b7b4.23175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/530568
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314384 Sample: Conakry_111120.pdf.exe Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AgentTesla 2->36 38 5 other signatures 2->38 6 Conakry_111120.pdf.exe 2->6         started        9 app.exe 2->9         started        11 app.exe 2->11         started        process3 signatures4 40 Detected unpacking (changes PE section rights) 6->40 42 Detected unpacking (overwrites its own PE header) 6->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->44 46 Contains functionality to detect sleep reduction / modifications 6->46 13 Conakry_111120.pdf.exe 17 5 6->13         started        48 Multi AV Scanner detection for dropped file 9->48 50 Machine Learning detection for dropped file 9->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->52 18 app.exe 2 9->18         started        54 Maps a DLL or memory area into another process 11->54 20 app.exe 2 11->20         started        process5 dnsIp6 26 bulancak.com.tr 92.42.36.37, 49734, 587 EUROTA-ASNEUROTAINTERNETSERVICESLTDTR Turkey 13->26 28 mail.bulancak.com.tr 13->28 30 4 other IPs or domains 13->30 22 C:\Users\user\AppData\Roaming\app\app.exe, PE32 13->22 dropped 24 C:\Users\user\...\app.exe:Zone.Identifier, ASCII 13->24 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->56 58 Tries to steal Mail credentials (via file access) 13->58 60 Tries to harvest and steal ftp login credentials 13->60 62 2 other signatures 13->62 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 10:20:49 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zj56w5ua4vwhq6vq4bddj6at3pw2ttrkyfdjxbvmkc5jpj4xdafq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0020c6f173f529a8e7b0bb5e1e842b09c87cdf57bce308b09a9b9826bfb6a0fc
AgentTesla
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d
AgentTesla
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
AgentTesla
428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0
AgentTesla
6f175e5ca3aed259ec1288d9dbd2510bff46dd383f95c07d9495570699934445
AgentTesla
8b51b20b7962db09c0791b27e7ac10fd933026777ad967a7cfdd5c23c7ac065e
AgentTesla
8c3b25751ab09b3f9a6b6f9ce8271c13b5963565c2099077cfc9d30d6ff6abe7
AgentTesla
9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2
AgentTesla
c076fb8aa8701a1255fad0401bc4d812fad82a0835fd2f95b9d7ade3fe9abec1
AgentTesla
+ 2'633 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201111-z6rvyf5kq6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b
MD5 hash:
78d2800f23f8895851622f3d62984d26
SHA1 hash:
bcd5b9501ac838ee5a338bccea07a49c1e8d564b
Link:
https://www.unpac.me/results/e97a1080-8937-47b4-89b1-2b87d33e8323/
SH256 hash:
aea5abbf0fb4b57845b9260e5441de5288d33696fd51ab03ac833a144f012f42
MD5 hash:
4de7f9e36330f85ab0d8605af7c8948a
SHA1 hash:
50af0ff56aca9cd210fa7b52f9dcc78c42e86bd7
Link:
https://www.unpac.me/results/e97a1080-8937-47b4-89b1-2b87d33e8323/
SH256 hash:
c57a113c794e0aede270bd085f0eb54cc1ee79a20bbd88d3d29abc6e21a961e6
MD5 hash:
71cd7d93c384fe0fd953ed29b92c9fdf
SHA1 hash:
c2c4edbe846f94ed60035a16383821adfb73132f
Link:
https://www.unpac.me/results/e97a1080-8937-47b4-89b1-2b87d33e8323/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f97158365c5e5346e90a879f47cd57c97f1048df611f003781721076044d60c5

AgentTesla

Executable exe ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b

(this sample)

  
Dropped by
SHA256 f97158365c5e5346e90a879f47cd57c97f1048df611f003781721076044d60c5
  
Delivery method
Distributed via e-mail attachment

Comments