MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7
SHA3-384 hash: a300e94ae8f18d492fdc047dd7d4f3e721e55cac9ebae1e1275fd48c6358e212df7faf42d3afbe6aa1a5a28da7f7d476
SHA1 hash: 6b66e66f58f54919ac5146558c887106a09c2f9d
MD5 hash: ca055ba58df8f7352fb0d26795c5a5d4
humanhash: oven-triple-leopard-vegan
File name:New Order #1019213.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:825'856 bytes
First seen:2020-10-07 14:31:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92604fb3a4f39675f5df0ea054782743 (4 x AgentTesla, 2 x MassLogger, 1 x GuLoader)
ssdeep 12288:KebMW1iNFCCmdS7rdGLDpvyEomix6n8DapzIwx12o1E:0dF9mdS7kDwZTcn8upIO14
Threatray 1'798 similar samples on MalwareBazaar
TLSH F0059E27B2A04873C12326F89C0B4BB46D26BE1139E8BD466BF5DD4C7F7968178252D3
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68970/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484293
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 08:02:16 UTC
File Type:
PE (Exe)
Extracted files:
92
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=34tbqi3k6amostrmcz4cn3p63ap2vnngywwoevoyjwpqoklkmpdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0adc7e74c78f1d91fa1972467bdee948477ade15409a3f2924f337de4038ded1
AgentTesla
0e27fff0e39073727446b880aca45cf3a065e450308c36b06374233318d7833c
AgentTesla
1fd11332a2763aa7221a3a5386a35b97ce25e18a5af4c07ff95f056935fe9360
AgentTesla
21359248fdd77b3fb66b1910399bbf0f3433e47cd97bc8a6244716e34280c877
AgentTesla
748bdb2c8f1ad331fab247dffe915274bcdd9119a58b194b86cb9eef36b47803
AgentTesla
7dd8c75b70b07b8b06f2601cf82c02027e525d27ae0a2a20ef40b0eb1d132908
AgentTesla
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
AgentTesla
ae2afbb4c70886f6864113ba14ff4fc9065dba86be202b651e33cff8e504cace
AgentTesla
ee5fd99c7fc747944fc82337291094b744fca1f9f6328551ba0f10a9f025ad52
AgentTesla
f00571fb0c082a4a7d66d08af1628b4be7515a74e153adee51db8136ed5918ce
AgentTesla
+ 1'788 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201007-yj17d6dq8n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
1d2a6e8429d5c5ab02975c9b1696088ba309ba2d50dede8e0e0af4f20c0f6314
MD5 hash:
4803804e649c4b76cb1c1e454134e599
SHA1 hash:
4b904b8f08cb3baf52da96592c379d68b9de0658
Link:
https://www.unpac.me/results/34492194-017a-409d-911b-d884957c893d/
SH256 hash:
5308bf56ce2a6045219d762e6f6302f0bde409094e9f6afa12b509c8d7647d37
MD5 hash:
b9e1b62f6dce736954e3a35737de63ce
SHA1 hash:
242c387e35b68b02767ccc1e65377a8b5c56060e
Link:
https://www.unpac.me/results/34492194-017a-409d-911b-d884957c893d/
SH256 hash:
df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7
MD5 hash:
ca055ba58df8f7352fb0d26795c5a5d4
SHA1 hash:
6b66e66f58f54919ac5146558c887106a09c2f9d
Link:
https://www.unpac.me/results/34492194-017a-409d-911b-d884957c893d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/68970/

Comments