MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815
SHA3-384 hash: 921dd6ac6fc6850e65304716c5369658db6e1c8ce10431433e97dbe80a321bd18e220bdfc73726262d09d17732ae8e40
SHA1 hash: a412b95d4490c95fb87695f901d697e29a83b0c8
MD5 hash: f08cd6d5e97832b373e62befac6fe1ba
humanhash: uncle-happy-august-jupiter
File name:Custom Design_Specifications.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:208'896 bytes
First seen:2020-10-27 14:31:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:jDK9uuHGqpqaiJCYXjuR/LPSuG3vsgNYwJg:3uHGqpqaiJCYXjuR/LPSuG3vsgNYwe
Threatray 24 similar samples on MalwareBazaar
TLSH F114C83DAA552AE3A273E63590E60043F9E865CA73781D8B01C32B1C7A4DE123DDB75D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: fiovvserve.com
Sending IP: 157.230.211.140
From: Sharon Yau <sharon.yau@sankyu.com.sg>
Subject: New inquiry of Face mask//Custom Design!!
Attachment: Custom Design_Specifications.zip (contains "Custom Design_Specifications.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79962/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513787
Signature
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 12:20:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tsc6l7z6ao4clufjhem4f4dffy2sj7szatmglnkhvhdox6sdakq._file
Verdict:
unknown
Similar samples:
1cef46cbb22cfda50b0e93dadedfb09f511b80e802d239270c96954a38d11f28
AgentTesla
3d51c6c8739a9038ef4a2fd3c255ccb1206ea5e4e148af61ec47867395d3540d
AgentTesla
4de20c38ffff3f9d75d9a446f152c017d9010477c28c8b97875f95f448ecb761
AgentTesla
9c30836b7e26dc68f2f9299a1014cfda6fd1446b9938d559c82aa6462b5fcab9
AgentTesla
b4f95e4d9620a26624a59ba027823fa47cfb1cc562613d51c7305ab5f0fcea56
AgentTesla
e4491a0d3030a3c03f75f931bb5f532b6064feb927a9664bda88c675d480b77c
AgentTesla
ee1a9615502f7e593a97d94528cffa575919ee29820bc99c27180296c228d5cb
AgentTesla
efc2e2029414d0b2c20a5a31a7845d77d3634b9c272363b79ba131b3bff453ee
AgentTesla
f508afb3a24ea2a3865ef48de1c0f2886ac26641ea6c517c727041e11a15e886
AgentTesla
fadcffc72696cb639334be446d2aeb90743b270276f48b730efbb59b73505a85
AgentTesla
+ 14 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201027-2aa5bxy252/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 53f6ded40124dfbe2eee88232511d996375552983bc437f8959a42b4f40e1112

AgentTesla

Executable exe d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815

(this sample)

  
Dropped by
MD5 417867dc123fe25a9c526fa67e067861
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53f6ded40124dfbe2eee88232511d996375552983bc437f8959a42b4f40e1112
Cape
Cape
https://www.capesandbox.com/analysis/79962/

Comments