MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d75eb4b0aa7e4081d40dece5bbb1a6b988120b311b88418edd399d455525a4da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d75eb4b0aa7e4081d40dece5bbb1a6b988120b311b88418edd399d455525a4da
SHA3-384 hash: e35b56050594fe9c61009f0edaaf35ca0e6a20a32c78307d6b842f67ff1c3ba5bd2d8f320a1cf529e5498d31bf2bcfff
SHA1 hash: d0206cd68ea1419c4c020631717b3cfe641742be
MD5 hash: 2fc11cdebc27214a7d68f16f59d697b1
humanhash: neptune-sierra-yankee-delta
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'584 bytes
First seen:2021-07-14 10:00:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ApQUCG16DrlKjjhYiBpjjVAW4jU8vy2VMyyORGZZ6p4z/:ApQUMBMY4ZV4U8qaMyyO4Zx
Threatray 6'749 similar samples on MalwareBazaar
TLSH T17EE4BE2733844A27CBBE42B9B650E090F761ACABB701DE0F2AC372D6556B70154D6D2F
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 10:02:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39adf4f9-3d71-4d15-b43e-37aac8ef4db2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171621/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5506.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b90a9f8-9cdf-4e7a-85d5-94a5700dfd58
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816129
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448540 Sample: SOA.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 7 other signatures 2->55 7 SOA.exe 6 2->7         started        11 uwmDRDg.exe 5 2->11         started        13 uwmDRDg.exe 2 2->13         started        process3 file4 33 C:\Users\user\AppData\...\djeCwcbmJZzPnX.exe, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpAC70.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 15 SOA.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 SOA.exe 7->21         started        23 SOA.exe 7->23         started        25 schtasks.exe 1 11->25         started        27 uwmDRDg.exe 2 11->27         started        signatures5 process6 file7 39 C:\Users\user\AppData\Roaming\...\uwmDRDg.exe, PE32 15->39 dropped 41 C:\Windows\System32\drivers\etc\hosts, ASCII 15->41 dropped 43 C:\Users\user\...\uwmDRDg.exe:Zone.Identifier, ASCII 15->43 dropped 45 Modifies the hosts file 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 29 conhost.exe 19->29         started        31 conhost.exe 25->31         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d75eb4b0aa7e4081d40dece5bbb1a6b988120b311b88418edd399d455525a4da/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 10:01:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=25pljmfkpzaidvan5ts3xmngxgebeczrdoeeddw5hgoukvjfutna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
70b5c48255e4eaadbf6cc289dbc9b21c46a5fdbf8d2997e232e1960594b74498
AgentTesla
73f59e4a55e630ad4d2d4d1ad2c1c918a0f71bd8a0a8b6aaba5cad37cb913a06
AgentTesla
75b5fb4ad3ead4091a83a4dde5e6b328196f62a529817ff705450a47dc94a3c6
AgentTesla
9c9a46794e95fd68fca94f44894192571216f1fceabc5f1a6a33ea4ccddcef59
AgentTesla
eaaf0dbd2ab3f74585203a1fd6da7f3d62198d532777d1b86e5cc247d881c159
AgentTesla
f47f9d673a5a84c416306dcf513c59f56b686b4a17e1b12028c22672dc71fca9
AgentTesla
f9508e3d52fd619f0d3ebf24a1a9cd4c0ed1caecf46f53a18fbc5ba2831df0f7
AgentTesla
+ 6'739 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210714-zznd4kxr1j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/6b038e19-737a-45f5-a8ad-dd1da03e36b4/
SH256 hash:
10a0915c673d1b6d2e297ad492ac0c228758c2f9f87b29df630e5c6c1967cb81
MD5 hash:
67b8d7742644349d3838e04904992766
SHA1 hash:
6fd9bf04215b8bc3fce91236480e2a4346ef194c
Link:
https://www.unpac.me/results/6b038e19-737a-45f5-a8ad-dd1da03e36b4/
SH256 hash:
18f048fe4d43531f47a10da77988d1208d216d87a753a38ac2502854243d7f57
MD5 hash:
c6d7f52162008e8fd8ac99f0e053cfc0
SHA1 hash:
63504dcee4db51cb1b1a18055ff018e4b0c4dc7a
Link:
https://www.unpac.me/results/6b038e19-737a-45f5-a8ad-dd1da03e36b4/
SH256 hash:
d75eb4b0aa7e4081d40dece5bbb1a6b988120b311b88418edd399d455525a4da
MD5 hash:
2fc11cdebc27214a7d68f16f59d697b1
SHA1 hash:
d0206cd68ea1419c4c020631717b3cfe641742be
Link:
https://www.unpac.me/results/6b038e19-737a-45f5-a8ad-dd1da03e36b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d75eb4b0aa7e4081d40dece5bbb1a6b988120b311b88418edd399d455525a4da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 17d14760f141c587d0511b1771ad60b10722a358d497669f88cdc83609ab2ad6

AgentTesla

Executable exe d75eb4b0aa7e4081d40dece5bbb1a6b988120b311b88418edd399d455525a4da

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 17d14760f141c587d0511b1771ad60b10722a358d497669f88cdc83609ab2ad6
Cape
Cape
https://www.capesandbox.com/analysis/171621/

Comments