MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc948c4248c3aeaf84dc54589a071e86fac7baa0d652694734bacccd89103a15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	fc948c4248c3aeaf84dc54589a071e86fac7baa0d652694734bacccd89103a15
SHA3-384 hash:	5de940c885863feb9c80b77f1e60d910e201792f494406ce51a71452f280319bc22694e94de5e2c626ec90b8ed8be5b1
SHA1 hash:	a01d55130e3d9a18a6843c719989ae1447796dc6
MD5 hash:	22d53a21f09abf9c6c8efd874691af92
humanhash:	connecticut-fruit-mississippi-echo
File name:	PDF4563156888.EXE
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	900'096 bytes
First seen:	2020-10-23 12:37:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:vULRDeQcbss2AYvPHlfJHUeSDZ1vxF2Jb8RZ4viOBPNIl7GF:vUOgTbv/lfJHDSDZ1v6JQ4viAk7GF
Threatray	756 similar samples on MalwareBazaar
TLSH	0315BE006298CF12E27E57F1E42405F54BF92CAAE56EE29B0CA27CDD3672F405E65B13
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/75048/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/508113

Signature

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc948c4248c3aeaf84dc54589a071e86fac7baa0d652694734bacccd89103a15/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-10-23 08:18:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7skiyqsiyoxk7bg4krmjuby6q35mpova2zjgsrzuxlgm3ciqhikq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2e1f23f4c8536a0f803f8d9f54e5d5c67a99aa2b0c44031d4ed743acd6003887

AgentTesla

3afb9252d528d667bbdf62a3e7a235615ad0814911ca4690505822cbda24c380

AgentTesla

51fc4c13e2fa607113d821aaab2ba2e96d10097d69698ec3facc71b8b751e068

AgentTesla

7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e

AgentTesla

8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4

AgentTesla

ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196

AgentTesla

b7adf1bb5628fd6ec0905e0d3f32c20c39f401ce845f73e15ce867aca4a531fd

AgentTesla

d03792e976baeea6547686ff0fe4ced755f9bad76ee6e3ff3c5f4adf93cbb0f8

AgentTesla

fbe762c8c464730d016cd2ef76955fe726f74abd031cea612d6a08bce2383a3e

AgentTesla

+ 746 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201023-3mr24ge98j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

34e29adec6344bc1aa00523d85912febd705b0391cd2f0821349f00e40385a92

MD5 hash:

b1c14a9b9c6fb2dfa6e4eb0acc1074fe

SHA1 hash:

1c9f4d09728d85b6fc00cc0a28f01cae640fe71c

Link:

https://www.unpac.me/results/347657d4-ce52-4fcc-80b1-db3dfed779b6/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/347657d4-ce52-4fcc-80b1-db3dfed779b6/

SH256 hash:

8a512e158203d1c269d0a403ccfa11d891b9656c20efcf8c3da8a369e6ecb1b4

MD5 hash:

c741e40e6cc3457a890cce95c831ce16

SHA1 hash:

5f5fceae1c7409ef26f2253e7ed2233ede4adb28

Link:

https://www.unpac.me/results/347657d4-ce52-4fcc-80b1-db3dfed779b6/

SH256 hash:

fc948c4248c3aeaf84dc54589a071e86fac7baa0d652694734bacccd89103a15

MD5 hash:

22d53a21f09abf9c6c8efd874691af92

SHA1 hash:

a01d55130e3d9a18a6843c719989ae1447796dc6

Link:

https://www.unpac.me/results/347657d4-ce52-4fcc-80b1-db3dfed779b6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc948c4248c3aeaf84dc54589a071e86fac7baa0d652694734bacccd89103a15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.