MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f65fe54d1597f5accaedf0b45afde9d8b7375214035225f039c99c8627a9bd72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f65fe54d1597f5accaedf0b45afde9d8b7375214035225f039c99c8627a9bd72
SHA3-384 hash: 2b16e01d649b75b5bf11ed4f367a176a389c74db47821061955e05aac57853305f5ae2b6c68bda4ed59f3aaf0b4116d9
SHA1 hash: f28bdfd9cd7dc9ade291dab2b2602b006834b485
MD5 hash: 98a5cb98aed9407b251e046c3b82fc86
humanhash: ten-william-fanta-papa
File name:PLG.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:486'400 bytes
First seen:2020-09-28 09:02:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:MwADBNXtrtr8CSswXR2peZJz7ViQvi+YUBixpwI7:MwYHrtcdRGcJz7ViQv0U0Z7
Threatray 191 similar samples on MalwareBazaar
TLSH CEA4CF3493C84F17C3AC26B9C41D291103F38556E276FF89FCA410F61BDA789A77266A
Reporter Anonymous
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66373/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/476283
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290592 Sample: PLG.exe Startdate: 28/09/2020 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Antivirus detection for dropped file 2->37 39 9 other signatures 2->39 7 PLG.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\Roaming\oRaUwkRnK.exe, PE32 7->21 dropped 23 C:\Users\...\oRaUwkRnK.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp454F.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\Local\...\PLG.exe.log, ASCII 7->27 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 11 PLG.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        17 PLG.exe 7->17         started        signatures5 process6 dnsIp7 29 gautengelectrical.co.za 192.185.156.157, 49747, 587 UNIFIEDLAYER-AS-1US United States 11->29 31 mail.gautengelectrical.co.za 11->31 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 19 conhost.exe 15->19         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f65fe54d1597f5accaedf0b45afde9d8b7375214035225f039c99c8627a9bd72/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-09-28 04:49:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zp6ktivs722zsxn6c2fv7pj3c3touquanjcl4bzzgoimj5jxvza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00c0720db185618e9ce9f91b819fcd1c2dfdc909fb4c3eeb224ad83d2551abb2
AgentTesla
24125276968e3271c0021b08a86ef2f8c284394758b8fe2e33522b0703fe6e28
AgentTesla
a49c1be213b2dbca8ad90cf4d212b0d125cfc12eed597b6f0bf0edcbca1a4282
AgentTesla
a74aa4ad9ddfcc9a2e8ce9ad85ef55b57526e630fad8b20dc01bd26b13e878ed
AgentTesla
b92d0e306e620dc2f6f39228cdff6e77aa9c871d82ee4f20cb5b3cf736f48093
AgentTesla
bb7137f657b117d9f81a63c868e6e252184f0581052966aeff79ae5b298d9c44
AgentTesla
be0c4ead0ff1af339d06306edb57854a0c5bc77fc46ad963b53f76a3747aed25
AgentTesla
c83d1de6588bfc8fde4db24a20f2cdcbecd2917faf45e5f3327fccd01e80b953
AgentTesla
cc4bdca8feec2bd7736eb6edb0b17769815bb174d1dcb11cb652952a760f1a67
AgentTesla
dd10a839cf519c1f245ba3c21cdac6b9d8d7d863b4f0336be99b4da9e0254808
AgentTesla
+ 181 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200928-x1qev94kcs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f65fe54d1597f5accaedf0b45afde9d8b7375214035225f039c99c8627a9bd72
MD5 hash:
98a5cb98aed9407b251e046c3b82fc86
SHA1 hash:
f28bdfd9cd7dc9ade291dab2b2602b006834b485
Link:
https://www.unpac.me/results/bc9ee19c-91f0-49be-a4b6-11c2d83757d1/
SH256 hash:
fb3f6f05a6e3344695591281a2127b5d2a1f42fe7c08b3fef93dd0ce9a505db4
MD5 hash:
edc7141b3b75f3be0b058ff9c2c775a5
SHA1 hash:
328dc96cf7c617d755dbc491559fe7e43f80f4e9
Link:
https://www.unpac.me/results/bc9ee19c-91f0-49be-a4b6-11c2d83757d1/
SH256 hash:
b1fbf38fef93240f26f6628e1914be902aedca52874673be9e80d23e0e598e9e
MD5 hash:
9dd1130b0f0c9be466c5f816e433e1f0
SHA1 hash:
6c162b73fae3b8996b4e0f89ed7b202cbdf40dc3
Link:
https://www.unpac.me/results/bc9ee19c-91f0-49be-a4b6-11c2d83757d1/
SH256 hash:
f91136b3f9578e4787485acb78c2e8426f29b2b53137f30b9da2ddef7f1aa0d2
MD5 hash:
5540aa958af14cc012e560ae882105e2
SHA1 hash:
934fed584590da075b3119b23fc3a67de85588a5
Link:
https://www.unpac.me/results/bc9ee19c-91f0-49be-a4b6-11c2d83757d1/
SH256 hash:
182ff4977a862e284d2cb415701cdfca0caef17ae618437d585b9f37070ebdd5
MD5 hash:
dbbdc68fa6aeecfa635133a8e65a271b
SHA1 hash:
fb7f768ffbcee2f6ea5573bd318733e141abf05d
Link:
https://www.unpac.me/results/bc9ee19c-91f0-49be-a4b6-11c2d83757d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f65fe54d1597f5accaedf0b45afde9d8b7375214035225f039c99c8627a9bd72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f65fe54d1597f5accaedf0b45afde9d8b7375214035225f039c99c8627a9bd72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/505026/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66373/

Comments