MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc5f2535e7084ab756833bdabffa3067020fce7e285409089d14648ef3e5b6cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc5f2535e7084ab756833bdabffa3067020fce7e285409089d14648ef3e5b6cb
SHA3-384 hash: 299a16cd8e42700aa37f5bfefd2ff4155c259249e447d459f378fbff0041f35db368b97183fe2ae9b6feadf5049996df
SHA1 hash: b6ef73e73f4e33870db5011937df141f06f0083f
MD5 hash: aa248e46fdd3d9c3278ef8c12fe49be3
humanhash: monkey-chicken-saturn-arizona
File name:SecuriteInfo.com.Trojan.InjectNET.14.7309.29776
Download: download sample
Signature AgentTesla
Create hunting rule
File size:888'832 bytes
First seen:2021-01-25 11:53:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:tTDgabSe6rB4uXSuNn+WNgYWhWR7fWRGUYEx+MY/bXmpgVtL:qXSa+WN7jeGUY1kgVZ
Threatray 2'263 similar samples on MalwareBazaar
TLSH 8115245031D0CA5FC93B42B60650DDAC62A16EDDFD00927858BD7A9F292FE8D57C0AB3
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.InjectNET.14.7309.29776
Verdict:
Malicious activity
Analysis date:
2021-01-25 11:55:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91945e5e-b8c9-43fb-a1b9-8f21a459ef0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113702/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.7309.29776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/589364
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc5f2535e7084ab756833bdabffa3067020fce7e285409089d14648ef3e5b6cb/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 02:24:53 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrpsknphbbflovudhpnl76rqm4ba7tt6fbkasce5crsi547fw3fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09b7bf15736eeb15efdae06322e1aa1e8f960d3264aa380ab0ba05a348aadca6
AgentTesla
10791cad73c6725fb874bbce635798638b7b53a6c6653c5ce76c02798fa01ab5
AgentTesla
606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525
AgentTesla
7c1cc691d4f45e93604996ead834345964e3ccc2e20c0df32376cf70c81fa802
AgentTesla
97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a
AgentTesla
9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6
AgentTesla
d79ac65fba80d34f0012d82182dd67ca707475ff4628bf5012d2a3d4db7d413b
AgentTesla
d79d31a8f60d1d9d27c04ef0ea64b641d86f515b01e0a4a0465d7c15bf5bb4bf
AgentTesla
eda77a2a6a764257be0cc3de5d0d316cf149e28912804bda421607d6c8657f4a
AgentTesla
fb4beef772683d5977d8c5a3c65365efbcddc966795944f52d9f7f54e9b4ee7b
AgentTesla
+ 2'253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210125-tcl9fvz236/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ca5827103be70f5553ba1a96fd8ba609ab2c465240fa16ca8ca383d3ac787f9e
MD5 hash:
387e9684d09537b48c4571d0826daffc
SHA1 hash:
fa0e00dc8015370380b39ac1145d487430c97116
Link:
https://www.unpac.me/results/cb4824a2-9e70-4274-99c5-28c555cbafd7/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/cb4824a2-9e70-4274-99c5-28c555cbafd7/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
8a5bfdd7764cc4db1a252d16697b1a9851fc5bebfd466999ffd8bd1047558943
MD5 hash:
924bf21f899bdd270387d806fbfd316e
SHA1 hash:
20f122a66b9700fc7cc8d6091cdc5c7fd9ae0087
Link:
https://www.unpac.me/results/cb4824a2-9e70-4274-99c5-28c555cbafd7/
SH256 hash:
cc5f2535e7084ab756833bdabffa3067020fce7e285409089d14648ef3e5b6cb
MD5 hash:
aa248e46fdd3d9c3278ef8c12fe49be3
SHA1 hash:
b6ef73e73f4e33870db5011937df141f06f0083f
Link:
https://www.unpac.me/results/cb4824a2-9e70-4274-99c5-28c555cbafd7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc5f2535e7084ab756833bdabffa3067020fce7e285409089d14648ef3e5b6cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113702/

Comments