MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d657c278508c896eb401dd575052850c94a77280113f93d60f0e2c4584877e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d657c278508c896eb401dd575052850c94a77280113f93d60f0e2c4584877e35
SHA3-384 hash: cd4d7a0aee44ea8f1da8af4eed55545132ea906c7bdaf44f753743f2fd2a317305bfc2b4a30f3d9bd4d5876d7b28c193
SHA1 hash: 1e075c1d5480add67e3b537fc0001953b4428e6f
MD5 hash: 35e22eee2dee70ae284f8b2fa0b5861b
humanhash: ack-purple-oxygen-cardinal
File name:PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:788'992 bytes
First seen:2020-12-07 14:32:18 UTC
Last seen:2020-12-07 16:51:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:S0K6DfK6DunjubUL6eh5Wfxaw/z5RjDByO+35n62qPVGNbTuMuKBD7hpvAz:E6O6oubJ2aIozrjNDynmST0sDdc
Threatray 2'019 similar samples on MalwareBazaar
TLSH FAF46B39AE545139F5726F7C89A02555666E2F93BF1BE89D2CB131ED0B37AC288C013C
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Malicious activity
Analysis date:
2020-12-07 14:34:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d40039c9-4458-4747-9b82-40a860946ba1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107040/
Detection(s):
SecuriteInfo.com.Generic.mg.35e22eee2dee70ae.28699.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/556896
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327547 Sample: PO.exe Startdate: 07/12/2020 Architecture: WINDOWS Score: 100 51 g.msn.com 2->51 63 Multi AV Scanner detection for dropped file 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 7 other signatures 2->69 8 PO.exe 7 2->8         started        12 Mymp4.exe 5 2->12         started        14 Mymp4.exe 2 2->14         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\OvYVNxxH.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\tmpEB09.tmp, XML 8->37 dropped 39 C:\Users\user\AppData\Local\...\PO.exe.log, ASCII 8->39 dropped 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->73 16 PO.exe 17 5 8->16         started        21 schtasks.exe 1 8->21         started        75 Multi AV Scanner detection for dropped file 12->75 77 Injects a PE file into a foreign processes 12->77 23 Mymp4.exe 14 2 12->23         started        25 schtasks.exe 1 12->25         started        signatures6 process7 dnsIp8 41 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.42.25, 443, 49736, 49737 AMAZON-AESUS United States 16->41 43 192.168.2.1 unknown unknown 16->43 49 2 other IPs or domains 16->49 31 C:\Users\user\AppData\Roaming\...\Mymp4.exe, PE32 16->31 dropped 33 C:\Users\user\...\Mymp4.exe:Zone.Identifier, ASCII 16->33 dropped 53 Tries to steal Mail credentials (via file access) 16->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->55 57 Installs a global keyboard hook 16->57 27 conhost.exe 21->27         started        45 nagano-19599.herokussl.com 23->45 47 api.ipify.org 23->47 59 Tries to harvest and steal ftp login credentials 23->59 61 Tries to harvest and steal browser information (history, passwords, etc) 23->61 29 conhost.exe 25->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d657c278508c896eb401dd575052850c94a77280113f93d60f0e2c4584877e35/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 14:31:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zl4e6cqrsew5nab3vlvauufbskko4uace7zhvqpbywelbehpy2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
186519bfd9147fc835be7aef50ff15456e53210bbbeec69d0a0d6412999121a3
AgentTesla
1e43a9cb578534543e39c04879feed5a1d9af3f58ab4c60f306bbedcb2be1470
AgentTesla
29606f35cd9ea80936304ef255b1962b8ba4e20a97e40cadabb37da6785c0ff9
AgentTesla
2aee5eb975d16feb1036dbf8298c4b6dc6869de8b44065caf8101a1f40b3b6ea
AgentTesla
38ed7c72a2e50891a633f64047a2a6ce5303c451a1e676a26f300d7bdd90138e
AgentTesla
916a77f4d125bcced72fc073a62d5dea68cedef38cc97817625ae2dc0144f6fa
AgentTesla
bb4fa1ef7cc21d3a4c66b243f542b24473441837a5aa5c453d9d89080b20acfe
AgentTesla
c9ebd1426e4e2da4c74d6a9ef667858b3be5070d792112ce4ee5e7fdc3c9ff9c
AgentTesla
d23fae385c1d1c2e8a92e1b47c13f113c57030d87ded1e63769cf25702f945b9
AgentTesla
fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1
AgentTesla
+ 2'009 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201207-a269thtyd2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
d657c278508c896eb401dd575052850c94a77280113f93d60f0e2c4584877e35
MD5 hash:
35e22eee2dee70ae284f8b2fa0b5861b
SHA1 hash:
1e075c1d5480add67e3b537fc0001953b4428e6f
Link:
https://www.unpac.me/results/e8301f56-3c16-4371-b521-c7715a87adfe/
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/e8301f56-3c16-4371-b521-c7715a87adfe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d657c278508c896eb401dd575052850c94a77280113f93d60f0e2c4584877e35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/107040/

Comments