MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc2bfbc218ee3422c674330cb6e0a5d793d457bb17714ad7022abbf859667026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc2bfbc218ee3422c674330cb6e0a5d793d457bb17714ad7022abbf859667026
SHA3-384 hash: 26a0d1d67c2b2c0adf56490efa29e25d06adaa001f421f15f2779dcb4f2bd9e87e9301956177f99e345c8fd79be2229a
SHA1 hash: 6488e37523c54b24e77507511be892ed67f3deaa
MD5 hash: 63a7807b5d80647ded037e51e08f891e
humanhash: cup-oven-friend-alanine
File name:P O#87534.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:30'728 bytes
First seen:2021-04-01 08:48:33 UTC
Last seen:2021-04-01 09:54:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:f/Zc5/BY8oeCK1KMq9vk49ChZTp8ILUJflene6mrs3odxLSxrBxIulvjhl2BUEt+:f/Zc5/BY8yK15av+bTiIGfls3UUpMyh3
Threatray 3'627 similar samples on MalwareBazaar
TLSH 19D28494E7DE4559F1BB7F70ABD5209E9AB3BFB66A12853F10C0010E56C2B409DD0A3E
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P O#87534.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 08:56:29 UTC
Tags:
trojan trickbot
Link:
https://app.any.run/tasks/89f0e89b-8274-4ccc-a65d-1eaa707c8e44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130546/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader38.19610.844.5485.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/661930
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379903 Sample: P O#87534.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 88 52 us2.smtp.mailhostbox.com 2->52 54 smtp.yidecnc.com 2->54 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected AgentTesla 2->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->66 68 2 other signatures 2->68 8 icloud.exe 2->8         started        12 P O#87534.exe 17 8 2->12         started        14 icloud.exe 2->14         started        signatures3 process4 dnsIp5 70 Multi AV Scanner detection for dropped file 8->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->74 76 Contains functionality to hide a thread from the debugger 8->76 16 cmd.exe 8->16         started        18 powershell.exe 8->18         started        20 icloud.exe 8->20         started        22 WerFault.exe 8->22         started        56 asdcqwdwqx.gq 172.67.160.253, 49728, 49759, 80 CLOUDFLARENETUS United States 12->56 58 192.168.2.1 unknown unknown 12->58 78 Adds a directory exclusion to Windows Defender 12->78 80 Hides threads from debuggers 12->80 24 P O#87534.exe 2 5 12->24         started        28 WerFault.exe 23 9 12->28         started        30 cmd.exe 1 12->30         started        32 powershell.exe 24 12->32         started        60 104.21.15.11, 49766, 80 CLOUDFLARENETUS United States 14->60 signatures6 process7 file8 34 conhost.exe 16->34         started        36 timeout.exe 16->36         started        38 conhost.exe 18->38         started        46 C:\Users\user\AppData\Roaming\...\icloud.exe, PE32 24->46 dropped 48 C:\Users\user\...\icloud.exe:Zone.Identifier, ASCII 24->48 dropped 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->82 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 28->50 dropped 40 conhost.exe 30->40         started        42 timeout.exe 1 30->42         started        44 conhost.exe 32->44         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc2bfbc218ee3422c674330cb6e0a5d793d457bb17714ad7022abbf859667026/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 17:40:50 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qv7xqqy5y2cfrtugmglnyff26j5iv53c5yuvvycfk57qwlgoata._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
067d3156f3d1e23a1eeffa5bd970dc11da156dff7ea06b21dc5059a6f4434ce1
AgentTesla
18624cae215e58079e8a9b236056a3a98efebf35ce799cb84cbaaf67b0972e0d
AgentTesla
3d652eb897291f8eb2fe8f9374007388b0cd426a797de77545b82a325dde762a
AgentTesla
3d90f14c88ddacd592856e9e0d657d95e7bbc4bf41a0805cea58fb725bb0d61d
AgentTesla
44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e
AgentTesla
4e9cc0b9560c8add1780082c9732092af22caefd15e40ea0fad7d96419c0fe44
AgentTesla
89c562cbdc638efa1bce47475206531f66722c0e5a9703e6777ac35547befa2c
AgentTesla
aa49703f23768692b287e91705c8a0037dc2f7b6ec02bf3f4d00ed863e3480f4
AgentTesla
c610f73e30114e8b05d5077870b71af41e4ab99b94c6eef2f23da7e33512af87
AgentTesla
e5c32739c115f51b0d7bf70fe1c50ca8253ee7ce97ef53d97582417e4bc093cb
AgentTesla
+ 3'617 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210401-k1tecy17t6/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla Payload
AgentTesla
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
dc2bfbc218ee3422c674330cb6e0a5d793d457bb17714ad7022abbf859667026
MD5 hash:
63a7807b5d80647ded037e51e08f891e
SHA1 hash:
6488e37523c54b24e77507511be892ed67f3deaa
Link:
https://www.unpac.me/results/cf7db470-f3c9-4e43-b2a6-f7f49ab6f9be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc2bfbc218ee3422c674330cb6e0a5d793d457bb17714ad7022abbf859667026

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z f591e41df0305dbf7215b3b784d788473a618f105d47b88d6a5de58069962fec

AgentTesla

Executable exe dc2bfbc218ee3422c674330cb6e0a5d793d457bb17714ad7022abbf859667026

(this sample)

  
Dropped by
MD5 47c825fb685b53f29422a093a0584260
  
Dropped by
SHA256 f591e41df0305dbf7215b3b784d788473a618f105d47b88d6a5de58069962fec
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/130546/

Comments