MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cec78b430e4bb75b78a1f1c4271b030543861f49a8efe5e85d265ff8e70d7228. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	cec78b430e4bb75b78a1f1c4271b030543861f49a8efe5e85d265ff8e70d7228
SHA3-384 hash:	2eee38ea4d21b6da0118c9e86f1694d70e49065480e86fd86efd9a2502d8f7a84df4a0dde0828a236b5ca9a692a3133f
SHA1 hash:	d0ef6ef0376f7b8b07c5e2f69943fc68d79ac0c9
MD5 hash:	1d028af73017d0dfc4dbd191884871aa
humanhash:	item-summer-tango-juliet
File name:	pay-10034-pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	791'040 bytes
First seen:	2021-05-11 06:44:45 UTC
Last seen:	2021-05-11 08:19:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:aoLLoS60/K7yh06lJxOy4db3rNeHCSDtEJ9NYJKI4rZpUYhsC4:aoLA6LxQBeHhEhYII4FeYhsL
Threatray	4'779 similar samples on MalwareBazaar
TLSH	DAF48CFC754464F9D35B5C27A3CF1C1682241270AA3B6A0B9B2103BE5A5BE173E399CD
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/154843/

Detection(s):

SecuriteInfo.com.Artemis1D028AF73017.577.1565.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/778297

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/cec78b430e4bb75b78a1f1c4271b030543861f49a8efe5e85d265ff8e70d7228/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-11 06:45:21 UTC

AV detection:

14 of 47 (29.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z3dywqyojo3vw6fb6hccogydavbymh2jvdx6l2c5ezp7rzynoiua._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4fcb20f32c0c827e9f3977a2874dd0acc7163dedcddf56004e03a38a53d720f9

AgentTesla

570c0394104f3b8a1dcae244814fe851e851c7f7d740d6a24715f2c1c51d35ae

AgentTesla

63ebe3b6b4c74b82cc098f5ba4eccf9e100b0fde5dcee78347042f357eb1b5d5

AgentTesla

a1297ad5970529014466745cbb2d1615ba88de8e062e77101fab26937ac518ac

AgentTesla

a44ff74c6494d974b972a18a5267d279971f1830eda15277188b4134fa4df8d7

AgentTesla

ab62d479188ea1f541b748cdeb04ddad8ebee4b32a1131f019bf0771a182c718

AgentTesla

b20c3245ef7cde5dc9429ef1bcef75cba906df8c09b28b29ac882f62135491a7

AgentTesla

c20cdceb9065b28f9e80f21bf214d1eac74d40960f0bc9e4226d55e0ef9dfe61

AgentTesla

cbc1b2bb407f02710060a11cdd74386337b92597af3d8de8c1d90c33672868ec

AgentTesla

+ 4'769 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210511-lvpm8x5vrs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

Looks for VMWare Tools registry key

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cec78b430e4bb75b78a1f1c4271b030543861f49a8efe5e85d265ff8e70d7228

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/154843/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample