MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfc4dd5529b8864c44fe9f5ac811f2002f2098d7ccaeb4b1ee59a81e778e5dc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfc4dd5529b8864c44fe9f5ac811f2002f2098d7ccaeb4b1ee59a81e778e5dc4
SHA3-384 hash: 4bb78234c030721911c59bb9d4b94789d8c36f9bd11830b69ad6494e5de980cfd6888a9a5a465b89bff40bbd8813e96b
SHA1 hash: db0063c86dcc9b8b1676f5d24ad2fa7d31ec6a80
MD5 hash: eefb8526609899c81433d17951fbf434
humanhash: six-glucose-coffee-idaho
File name:WE59574858444.COM
Download: download sample
Signature AgentTesla
Create hunting rule
File size:818'688 bytes
First seen:2021-04-12 13:56:12 UTC
Last seen:2021-04-12 14:51:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:zX0EZ9lzTfbt4e4ZSRhd/MbeERbf7/RaMbwqv2vBaYiYK:Ic9lzLbtLhRhtMHDlaOOrW
Threatray 338 similar samples on MalwareBazaar
TLSH 76050104226887A2D5DDF738EDB0D7400FA3BF25D614EE0FBEE5709948E3B4B9A41652
Reporter cocaman
Tags:AgentTesla com

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WE59574858444.COM
Verdict:
Suspicious activity
Analysis date:
2021-04-12 14:02:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e6003738-43cf-4960-a47f-b597d6491265

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133776/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.645.30806.31665.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673117
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfc4dd5529b8864c44fe9f5ac811f2002f2098d7ccaeb4b1ee59a81e778e5dc4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 06:43:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=37cn2vjjxcdeyrh6t5nmqepsaaxsbggxzsxljmpolgub454olxca._file
Verdict:
malicious
Similar samples:
1cdb81091d98d217a4cdc8c570df9178e797af21a9d4b1bc39c49766322ae4bf
AgentTesla
4e95bcf9cf3ddc47f0ac38cf8657a7e4e136e6204dff183aa302263280cf9c48
AgentTesla
7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b
AgentTesla
82df2d9ba67f275874caca138baea0b54e90ffd727d561072243a9d9026569ae
AgentTesla
8991d98a4126be86f90a2c52597361fd376bbbf8a47c2036f77153a7f3436018
AgentTesla
8b8f8698c1165d37f1dcf607bfc31a0d8f884389b26ebbd106bca128f85e40e6
AgentTesla
9c748a69c48b79e6422b3bea1766e415de5532cb7ba2b9673d5a51163e6c1df2
AgentTesla
e006460ad1e34ddbbc28430c2d529a7ee491893c7ae8b6902b2d8d8c56620510
AgentTesla
ef885d515b4d6e1bcbd650edf17a089b6c7d5f36fcadfe65491cea49f0f53b91
AgentTesla
fb23a007cf696e3c6b119c61b62824abc56b47a7e2f82337e890acc9024bd88c
AgentTesla
+ 328 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210412-nhn57vfdnx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
5e0f3da625a479a5e7e807b5f09c889d95474139410b312ba3a39bcb05976729
MD5 hash:
3d20c2ea9ac04e1707f853bb1780bc18
SHA1 hash:
805e90b023eb92d44bbe11daefce6edbe872cb74
Link:
https://www.unpac.me/results/881120ad-6f04-4f65-a445-2185aea93a85/
SH256 hash:
dfc4dd5529b8864c44fe9f5ac811f2002f2098d7ccaeb4b1ee59a81e778e5dc4
MD5 hash:
eefb8526609899c81433d17951fbf434
SHA1 hash:
db0063c86dcc9b8b1676f5d24ad2fa7d31ec6a80
Link:
https://www.unpac.me/results/881120ad-6f04-4f65-a445-2185aea93a85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/dfc4dd5529b8864c44fe9f5ac811f2002f2098d7ccaeb4b1ee59a81e778e5dc4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 19bd0b352a50b82c411dd325b170d7689c1485850f1543001158ec8394d05e5e

AgentTesla

Executable exe dfc4dd5529b8864c44fe9f5ac811f2002f2098d7ccaeb4b1ee59a81e778e5dc4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 19bd0b352a50b82c411dd325b170d7689c1485850f1543001158ec8394d05e5e
Cape
Cape
https://www.capesandbox.com/analysis/133776/

Comments