MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015
SHA3-384 hash: 0fdf3ea68a90ba92b930a92e1841e58e9f70a2a7e43a41f22614b2a9fe8293082b9d48235a40a2fdff03f86df78cf1ed
SHA1 hash: 36c34636c2f5cd3b8a91b71674a171fc5b3dc51c
MD5 hash: fadbd33dcf4ee68892399accfe1cb01f
humanhash: king-orange-zebra-johnny
File name:FedEx Courier Tracking.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:765'952 bytes
First seen:2021-05-28 05:51:02 UTC
Last seen:2021-05-31 06:59:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:7YZvEqBa3MYIu066iUhdSSXmzRBiUp9rldOra0tXvcBVNBDmxut7:kREqB8hSXdSNp9rMa4XvcHXt
Threatray 5'360 similar samples on MalwareBazaar
TLSH 1AF47C2D1294076AD17DD3B9CDE0841797A0F523B622FF9D98C5036D0B9368AB99333E
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedEx Courier Tracking.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-05-28 05:56:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/874950ac-2d0c-4bda-b6a8-9cf3ba771459

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162885/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793646
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-28 00:10:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsj2tyqbvrgipq522v4glpviajcmt3f6xgrydosgpka74g4guakq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55
AgentTesla
4fa5fc906da5080dbb40f75ff0aa9301080531e3dccaede9e9169121b5d0822d
AgentTesla
5a9e1ff007254cb77b90545f61dd8ea00eddc37b080950563b95d1bfbe70bb26
AgentTesla
88f94c1e8a555d84bf7ad2e0fe21d82d33f1976786267af93808cc050d039bd9
AgentTesla
9dfdb84198d7f2fdb9d84755ade6eb891880447a68d64ebda45777d9be463f8c
AgentTesla
aefa2f5a8448c792183fedf9d025becfb782102b749c0fe3be273975f2dc3b61
AgentTesla
b4eddee0ed85389b25b45ad11c5ba9e581e667e6fc5aa32abae9d4c6b915845e
AgentTesla
c4cfc6eb77f1095f81578053857d14d9597a3c13aa35654fc2742989862ce6e8
AgentTesla
fb8bc20c5ad0dbeedd5c90d8fa5e9bd7e0ff71fe75c7ebd51559b0599699281e
AgentTesla
+ 5'350 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210528-ssyxwgy4pj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace dffbd4034771d48648f3ad820ed01ed16c46da3b857dc8f0594d349c98af63a8

AgentTesla

Executable exe cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 dffbd4034771d48648f3ad820ed01ed16c46da3b857dc8f0594d349c98af63a8
  
Dropped by
SHA256 d8773d2a6628549f7afc66d8e3aa386414049861e2f456cb5ae339cbbb103ec1
Cape
Cape
https://www.capesandbox.com/analysis/162885/

Comments