MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0
SHA3-384 hash:	b8ce012bc6985a2bb09c0571ea53babe35eb3a3778c698e54b7a221ad0931ca6f1e18037e778ac66540f51b981f23caa
SHA1 hash:	f293e71e7ffca88d304f5c8ecc64b6a82bf04641
MD5 hash:	34ba55eeff30ec01035db0de517cdc6e
humanhash:	carbon-hamper-robert-steak
File name:	wqmFtOoVFByaYsvPOtog.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	219'136 bytes
First seen:	2020-09-22 14:29:18 UTC
Last seen:	2020-09-22 15:39:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	3072:pzv/LnrphtUGinAhizB8m4YqNzAy992GlCMONiwJIgwmXVaArrszoE9E:tL13U7njNCNzHlCj/FaAfs
Threatray	76 similar samples on MalwareBazaar
TLSH	C0241956178CAE20CB7E0278C057821837F19633876F928F6AA2D8FE1B456C9FD1B5D1
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

3

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/64431/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.30057.17186.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/472481

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-09-22 14:28:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ms4vkexz5wl6254j5rh4oosg5wz62r2g7ax7eowocxmk56qd2qa._file

Verdict:

unknown

Similar samples:

01dba88e6444acb9df2aac52afd7819f95b84144e209b925c62eb78a3bdca378

19b7ae6956a38825ac143952843f6e046c642a9dc635e18d4f84dcff4568c142

7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873

93d22d39577ab983c75badd9019b57420a4e2bfc300d6a37d90885d823396058

a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd

c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd

cd2b2d05e9154852f77c8377ee83f620951e47047bb702e026690508fee44416

d98f8380522e71c61b91d1fbdf98c0528fc20388a85695529824754f00a183a1

dc4eaa151b01375e0ba2392396b60e6abebab99e5590c93ab23ee3063aba5eb5

fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f

+ 66 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200922-ezb2n2fxz2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/64431/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample