MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eddfeca548fc1464fd8937442f58b868ade0a2a5b9a2780384cf622124b35c71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	eddfeca548fc1464fd8937442f58b868ade0a2a5b9a2780384cf622124b35c71
SHA3-384 hash:	724d4371eefdbd1892049539eaf758143e0acd98b33e250bae7b1b4d17165ae2076ee39c60ed502d6f9d53bd997573e1
SHA1 hash:	dbe19ef6c963557b019b558a9101a67e51b4645d
MD5 hash:	e2556f587891c051a883bad2d32be1b0
humanhash:	salami-nuts-colorado-potato
File name:	NEW PURCHASE ORDER.EXE
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	277'176 bytes
First seen:	2020-10-04 08:21:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:Wr22YGyoe20sSysESzMMO1gNCz/1NeSDOydFcw:QYGyowkS3O1r5mw
Threatray	278 similar samples on MalwareBazaar
TLSH	F8443A1D72A8E08EF4BB1FB05D69F02007717ABE5482DE0D6C9A3A5E59F370058593AF
Reporter	cocaman
Tags:	AgentTesla exe

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	Oct 3 00:30:02 2020 GMT
Valid to:	Oct 3 00:30:02 2021 GMT
Serial number:	690CED884FA9D7A5F2190F00D2A9D3FC
Thumbprint Algorithm:	SHA256
Thumbprint:	C096ECB80E38116EB46F784B9A488CE92D7545DC0BFBE343B983D74A413A525B
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Sending a UDP request

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Adding an access-denied ACE

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/480858

Signature

.NET source code contains very large array initializations

Connects to a pastebin service (likely for C&C)

Contains functionality to hide a thread from the debugger

Contains functionality to register a low level keyboard hook

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eddfeca548fc1464fd8937442f58b868ade0a2a5b9a2780384cf622124b35c71/

Threat name:

ByteCode-MSIL.Trojan.Zeus

Status:

Malicious

First seen:

2020-10-03 04:14:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5xp6zjki7qkgj7mjg5cc6wfyncw6bivfxgrhqa4ez5rccjftlryq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241

AgentTesla

476ad07360e7dc543be24793d393a093a011090ba53b5aafb21069d177271e7d

AgentTesla

6beff4ded7f127b4525fbd2c5ae4894b5f525b8c143814108830e26b9c9a9ec3

AgentTesla

6fcca7d4771894d9ef0df099f61eba0e2c4a6f46a3aa316829e2ff67e133e958

AgentTesla

be2763ce4e6c5c6a228efc795006966af947a33bb7992121d9f139f161f7ab15

AgentTesla

cf6f2cd62d7af0433fb12b090fa9f761d272b74606bbe78bb1d939ef5c48d89d

AgentTesla

d7f3cc72163e809b398c83abb04b237d3f900fee8886e862995a2e5995c3d627

AgentTesla

ea80f25ee70eca376f5e1214178f1f6d982dcb6231c79b70ad99a31fbe814b60

AgentTesla

fc97ff4201a640898a0378c099732689b17f53c54ec77b1016705e96cd8938a8

AgentTesla

+ 268 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201004-bplbzcsjr2/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

eddfeca548fc1464fd8937442f58b868ade0a2a5b9a2780384cf622124b35c71

MD5 hash:

e2556f587891c051a883bad2d32be1b0

SHA1 hash:

dbe19ef6c963557b019b558a9101a67e51b4645d

Link:

https://www.unpac.me/results/f0935efa-6dcd-4d1a-957e-6e1592fdb314/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/eddfeca548fc1464fd8937442f58b868ade0a2a5b9a2780384cf622124b35c71

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 6b37fccb6fef51d3f4132a9385711d1f91be780b3d48b44da83fdd8a1099a6b3

AgentTesla

exe eddfeca548fc1464fd8937442f58b868ade0a2a5b9a2780384cf622124b35c71

(this sample)

Delivery method

Other

Dropped by

SHA256 6b37fccb6fef51d3f4132a9385711d1f91be780b3d48b44da83fdd8a1099a6b3

Cape

https://www.capesandbox.com/analysis/67962/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample