MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d09186afeb1460fe7e7e33f7e319ecb280374f7c49b4240dfacc397323333834. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	d09186afeb1460fe7e7e33f7e319ecb280374f7c49b4240dfacc397323333834
SHA3-384 hash:	cdfb9579f3a0fb274cf2a32a78125817a67bc5effa392ceaf1f30d3ea9ebc3e54419256c53bab253f0388e49f925e85d
SHA1 hash:	4947f448efcb96e9dedab2b7af9a3fa4a3793eb5
MD5 hash:	9e7def773e686ffbac5a9dd2561fbc6a
humanhash:	arkansas-hydrogen-friend-hydrogen
File name:	PO.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	796'672 bytes
First seen:	2020-09-22 16:08:39 UTC
Last seen:	2020-09-22 16:45:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ca18648d2d79ac50557095b267ad0ccf (1 x AgentTesla)
ssdeep	12288:QgHopmseUh/N7pRe9UP+IIFCBDbMV5kFqderO3IVIeNkXIjGIq:HYm9e/sdpunMVKzrcI0XIyR
Threatray	101 similar samples on MalwareBazaar
TLSH	68058EE3F2E04873C1232A3D9C0F5B789926BED02F2969462BE5DCCC5F796417825297
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/64450/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/472580

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d09186afeb1460fe7e7e33f7e319ecb280374f7c49b4240dfacc397323333834/

Threat name:

Win32.Trojan.DelfInject

Status:

Malicious

First seen:

2020-09-22 10:13:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ciynl7lcrqp47t6gp36ggpmwkadot34jg2cidp2zq4xgiztha2a._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

AgentTesla

125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1

AgentTesla

19b7ae6956a38825ac143952843f6e046c642a9dc635e18d4f84dcff4568c142

AgentTesla

3a8afa181b83a479c7c476791061dd4a7df56a59e21bcb72f0c8a32d76b66d5b

AgentTesla

8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d

AgentTesla

a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd

AgentTesla

b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f

AgentTesla

c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd

AgentTesla

cd2b2d05e9154852f77c8377ee83f620951e47047bb702e026690508fee44416

AgentTesla

d98f8380522e71c61b91d1fbdf98c0528fc20388a85695529824754f00a183a1

AgentTesla

+ 91 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200922-s4rwj21ty2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d09186afeb1460fe7e7e33f7e319ecb280374f7c49b4240dfacc397323333834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/64450/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample