MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889
SHA3-384 hash: c082071eb1b272b0a37860926c62f50f82d47e65b7f20741bf13b0a2a654423ab96210d59a298e736aa4ac09050ff942
SHA1 hash: 9fb1f64f8ddbbec75325f3dd10f8143e97eb5016
MD5 hash: 6779b8c3562f5398617ad030d516d220
humanhash: cat-august-hydrogen-purple
File name:PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:398'336 bytes
First seen:2020-09-29 19:37:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:zy72kRsyMA7vazq43x8KMj3aAPIZG2mqXR:9kRsyRCO43erzPgGu
Threatray 312 similar samples on MalwareBazaar
TLSH 9284016470E00BB5C2BC6FB9656E1F2892B38523C022CE6EDDE564F44F5EF92C958583
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66851/
Detection(s):
Sanesecurity.Rogue.0hr.20200929-1306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/477812
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-09-28 22:51:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5747jyq73p7btckarfmur3cb6hmollnunbx3j57hfnxjaqqfjceq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15ef597d7c75003efe90c9a85c5a80066671c664a1db0ea6be28c0e0f1370be3
AgentTesla
1d92907e65f00792c2eecabf72a121dc5a2f53c9e85650eddc24ab6ad4a07e8b
AgentTesla
4525a67f95e89fc3f2578b8f5896ab245bb39b6e23073b4160a80ada9c8308bb
AgentTesla
b14f41c4f83029cffe92e95429c9facb34c7f7b0378d61e7dbad92415f6abb58
AgentTesla
b90e648ea2d913c493765798db8d443a355bcba18f973c5957e5f959ad794a60
AgentTesla
be2763ce4e6c5c6a228efc795006966af947a33bb7992121d9f139f161f7ab15
AgentTesla
c486e1164e6673d53529376e153bbec949ea988da1a167e5dbb9f4cd0234fdef
AgentTesla
c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0
AgentTesla
e438d3d16690fe7c24844f8ebc7e2c5f66c2b24eb24b5d5f9afa9a863fa9d19d
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 302 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200929-s8cl1y1gxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889
MD5 hash:
6779b8c3562f5398617ad030d516d220
SHA1 hash:
9fb1f64f8ddbbec75325f3dd10f8143e97eb5016
Link:
https://www.unpac.me/results/bfa8d2bd-6ba2-43a0-aba3-8d02947c6939/
SH256 hash:
d8d2910650590a7e5ae72320280025cfe5ce76553818564f01d26b387eea4022
MD5 hash:
d22f12a4557f303260b1d74e555d50fa
SHA1 hash:
125fea3ad26cec0e49b5068a883867ae992de172
Link:
https://www.unpac.me/results/bfa8d2bd-6ba2-43a0-aba3-8d02947c6939/
SH256 hash:
8b95ce9879c15954773b37684b3c682271364c9e32cbe2c748043a89e877b0d9
MD5 hash:
acd8c01bbaf3e3fdeb568e025c76dc0f
SHA1 hash:
a12d65d213e877bfa0bb2f54cf1b295df214139e
Link:
https://www.unpac.me/results/bfa8d2bd-6ba2-43a0-aba3-8d02947c6939/
SH256 hash:
062361eb29797e922ed6141d3639e929ab073adcd18dccd16f3eb617fe5973d9
MD5 hash:
a377cc3762f05c0596a729dcf6dbf609
SHA1 hash:
bcd0071efd0b990ce1925a69e1c5508b9fff3459
Link:
https://www.unpac.me/results/bfa8d2bd-6ba2-43a0-aba3-8d02947c6939/
SH256 hash:
77038a2f58ac8141a67ab037202adf3ae6e8e141ebe8ad5082d60f973f114921
MD5 hash:
d2b957c6726a11836d7e1b5040c57fdd
SHA1 hash:
f36644b6cc491d3d6a1c317169ac537f8be5f846
Link:
https://www.unpac.me/results/bfa8d2bd-6ba2-43a0-aba3-8d02947c6939/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 49ad6c1248007a4ac4414326163a7fffeb97b86baddb91a5ca9372aa0dc069e9

AgentTesla

Executable exe eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 49ad6c1248007a4ac4414326163a7fffeb97b86baddb91a5ca9372aa0dc069e9
Cape
Cape
https://www.capesandbox.com/analysis/66851/

Comments