MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd69ac65237b5e9280395b4faaf70447e6524d99801fdda8dfb62178f24f24b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	cd69ac65237b5e9280395b4faaf70447e6524d99801fdda8dfb62178f24f24b3
SHA3-384 hash:	7d1db04731ca3239dae69703f056c8bfa38a8e14d2a8f8479677376ad9fb68f30562887d982e3d835f2b2f31ca8a4383
SHA1 hash:	ca2c864910dc2804b7a143a6b3ba5fe3d8ea92b9
MD5 hash:	06e4bc76d9fb5dc178436b8305090714
humanhash:	wolfram-princess-mike-bravo
File name:	CONSIGNM.EXE
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	396'288 bytes
First seen:	2020-11-03 06:24:03 UTC
Last seen:	2020-11-03 07:57:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:Bu2Mo+Efv8I1zd5wIJH5y5bvDweMjYleUXnf/0Dl9Ory255:wHet1p5ZXylIAeAKl9iy
TLSH	F4849E727D92546ECA6F07714069C5C1FABA1AC73F608B0D71AF530C1E21B1BAB6364B
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/81949/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.1103.7561.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending a custom TCP request

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/518859

Signature

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd69ac65237b5e9280395b4faaf70447e6524d99801fdda8dfb62178f24f24b3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-03 01:40:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zvu2yzjdpnpjfabzlnh2v5yei7tfetmzqap53kg7wyqxr4speszq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201103-2kdwv95e8a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

cd69ac65237b5e9280395b4faaf70447e6524d99801fdda8dfb62178f24f24b3

MD5 hash:

06e4bc76d9fb5dc178436b8305090714

SHA1 hash:

ca2c864910dc2804b7a143a6b3ba5fe3d8ea92b9

Link:

https://www.unpac.me/results/8b1d02f3-e9be-47cf-a80e-20eb9f61b2ab/

SH256 hash:

85149b884607f6bb7317c7fb893b8cabc550422ecd62bd59509a3d5fcf44b56d

MD5 hash:

a5baef204b1c2470b3692ead91645bcc

SHA1 hash:

636c826cd651b6817711353b140d7960731daec5

Link:

https://www.unpac.me/results/8b1d02f3-e9be-47cf-a80e-20eb9f61b2ab/

SH256 hash:

302bbb655059afda68827cd053ddfa63f03dd364e84624956210fd578133135c

MD5 hash:

71af938c05c676dc11975611e77eb5ae

SHA1 hash:

adfa2c902fda4999fb4512030ee5b216de2c8e80

Link:

https://www.unpac.me/results/8b1d02f3-e9be-47cf-a80e-20eb9f61b2ab/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/8b1d02f3-e9be-47cf-a80e-20eb9f61b2ab/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/8b1d02f3-e9be-47cf-a80e-20eb9f61b2ab/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd69ac65237b5e9280395b4faaf70447e6524d99801fdda8dfb62178f24f24b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.