MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d
SHA3-384 hash: 179b07cdadac570f8d85bb9e551ab0eedeb99714dd87c03107b71b4f3bb078bc6483e36d34551aad12cd6e420e051f9d
SHA1 hash: a0b909220f3add2a12ab3fa8da8f18a5710ea632
MD5 hash: 1941b425080aeb2d67a5f87c416c78dc
humanhash: johnny-mobile-wisconsin-oklahoma
File name:1941b425080aeb2d67a5f87c416c78dc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:118'080 bytes
First seen:2020-10-07 17:09:12 UTC
Last seen:2020-10-07 18:00:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:TRDklbWQlQYGyBIU9gaSgB+bRaLMPIlwiXG:TgWaQYGyiNtdaHFW
Threatray 384 similar samples on MalwareBazaar
TLSH 37B3C98137ED820DF5BB6F367EB1901109F7BA92D986C55D1D88229F0872A40DE727B3
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68821/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/484488
Signature
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294687 Sample: O5r6yd2zNz.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 84 56 Yara detected AgentTesla 2->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 2->60 62 2 other signatures 2->62 7 O5r6yd2zNz.exe 18 4 2->7         started        12 O5r6yd2zNz.exe 2->12         started        14 O5r6yd2zNz.exe 2 2->14         started        16 3 other processes 2->16 process3 dnsIp4 52 pastebin.com 104.23.99.190, 443, 49752, 49760 CLOUDFLARENETUS United States 7->52 48 C:\Users\user\AppData\...\O5r6yd2zNz.exe, PE32 7->48 dropped 50 C:\Users\...\O5r6yd2zNz.exe:Zone.Identifier, ASCII 7->50 dropped 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->64 66 Creates an undocumented autostart registry key 7->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->68 70 Drops PE files to the startup folder 7->70 18 timeout.exe 1 7->18         started        30 2 other processes 7->30 72 Creates autostart registry keys with suspicious names 12->72 74 Creates multiple autostart registry keys 12->74 76 Hides threads from debuggers 12->76 20 timeout.exe 12->20         started        32 4 other processes 12->32 54 104.23.98.190, 443, 49758, 49767 CLOUDFLARENETUS United States 14->54 22 timeout.exe 1 14->22         started        34 2 other processes 14->34 24 timeout.exe 16->24         started        26 timeout.exe 16->26         started        28 timeout.exe 16->28         started        file5 signatures6 process7 process8 36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        40 conhost.exe 22->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d/
Threat name:
Win32.Trojan.GenMlwB
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 06:09:02 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a9e76d04b5ad405d59b6092f545f48dac62b1ce8ed10a260e4f90edff474c24
AgentTesla
286b00dda63a28a1d22aae31f1622b04700207b92ab0f033e8885fb55eaa3e86
AgentTesla
36f888cfcc5ca73bed330401ff231b38012baad656797b803d51157ee2252177
AgentTesla
5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537
AgentTesla
66c8e38b2f545edd7660168b8e778c165f200867abb90cd07c2f033ea1ae8405
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
AgentTesla
c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c
AgentTesla
cbc01ffceb54ac490802cbb30bf5e913e9755d7fb4637dbcd1d34a7b3f399f2f
AgentTesla
df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7
AgentTesla
+ 374 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201007-pml89pcbre/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d
MD5 hash:
1941b425080aeb2d67a5f87c416c78dc
SHA1 hash:
a0b909220f3add2a12ab3fa8da8f18a5710ea632
Link:
https://www.unpac.me/results/985346cc-3fdd-4789-8cc6-5c9763d48bfa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68821/
  
URLhaus
https://urlhaus.abuse.ch/url/665963/
  
Delivery method
Distributed via web download

Comments