MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd009c92cf5d14c3650fbcf7c41338de86b4f4d7403f6fe0640a3044c1c1312a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	cd009c92cf5d14c3650fbcf7c41338de86b4f4d7403f6fe0640a3044c1c1312a
SHA3-384 hash:	4e1d83e019f8cfd8fab990e0bc6741aa224ef753b052b57971fa2869dacdc1dc8b98ff9c68813649fc41f0b01c2fbb53
SHA1 hash:	82b46656404c9a2c47e539545301fafff6b34643
MD5 hash:	ad0d1669c8de1026a6c126c493a16402
humanhash:	massachusetts-bacon-triple-alabama
File name:	DOC_#NV44120.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	573'952 bytes
First seen:	2021-03-17 12:37:00 UTC
Last seen:	2021-03-17 14:34:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:qlV562ju4gT+F7mA+73W3Fzz3I3rKaZrwBr0jIP:qLVuRTGGm3Ri9/j
Threatray	3'278 similar samples on MalwareBazaar
TLSH	0CC4AE0623149552C77F493ED49386102672BE03AB1A53CF1AD1F8F81BB22CE7E5B5DA
Reporter	cocaman
Tags:	AgentTesla DHL exe

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DOC_#NV44120.exe

Verdict:

Malicious activity

Analysis date:

2021-03-17 12:53:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4d61b0ed-1cd6-490e-bcf9-282e24e82016

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/124548/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.23337.30248.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Sending a UDP request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Moving of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/642231

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/cd009c92cf5d14c3650fbcf7c41338de86b4f4d7403f6fe0640a3044c1c1312a/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2021-03-17 09:34:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zuajzewplukmgzipxt34iezy32dlj5gxia7w7ydebiyejqobgeva._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

6117ef5bdf129b7cc226a3bb9e3734f1b7502ab893603c4368685017f31a0677

AgentTesla

63fe4414329ce0fa71954c9d1a65a74d49457844fb1043b104f4cd64c832f84b

AgentTesla

6e1104a023506f755bda604158d0376d3e7ea43e025666704bb7c52a7fbc9cf7

AgentTesla

73db8576ad079efbe1376a00f6d027d0e9aeb173f594ee7161dbd5c62f9f215d

AgentTesla

791232ba8efdbe3778e195b4a96173183e44d101af42f0b308cca758ccd4d17c

AgentTesla

8ab6e7ca68c0c1ab0e39ede908135343fbfbfdeb3b6981f4630e6c74e73d7ca3

AgentTesla

afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662

AgentTesla

d60076d9ebcd69f0403422ebb01bf2df5faa59ce3fe2596b76ba0868ec666549

AgentTesla

dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2

AgentTesla

+ 3'268 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla persistence

Link:

https://tria.ge/reports/210317-5x2t3hg1v6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Unpacked files

SH256 hash:

cd009c92cf5d14c3650fbcf7c41338de86b4f4d7403f6fe0640a3044c1c1312a

MD5 hash:

ad0d1669c8de1026a6c126c493a16402

SHA1 hash:

82b46656404c9a2c47e539545301fafff6b34643

Link:

https://www.unpac.me/results/8a1ab030-d964-40ce-9128-52162fd436b7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd009c92cf5d14c3650fbcf7c41338de86b4f4d7403f6fe0640a3044c1c1312a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.