MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fca9c9be14541217929d625dd1efd04139b501d120a9a7a5b299fcd2a34973bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	fca9c9be14541217929d625dd1efd04139b501d120a9a7a5b299fcd2a34973bf
SHA3-384 hash:	3cb5e8a81ec4224d2c54c67d0fc4f01936fe55f93205edfce4f8203dadf99b50be660bcb55ee3b65eb586fcba78fab66
SHA1 hash:	8dc353d5aa68852d71bcf5acb1dc3db96d1e408d
MD5 hash:	0cf1e4b8de0d3376eb4e3c050ed7e47d
humanhash:	island-november-sweet-cat
File name:	taXvSy21KGwmeTI.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	987'648 bytes
First seen:	2021-02-07 07:38:52 UTC
Last seen:	2021-02-07 09:54:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:dcGX5eZh5CQFgdi74jWlPhMlwipCAflwnlS:dcGpeZjCHd0JhOxwnlS
Threatray	1'482 similar samples on MalwareBazaar
TLSH	F625CFAC365079DFC957CD768EA86C64EA2460B6530BD20390631AEC9A0DEDBDF041F7
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

HELO: server.gasbod.info
Sending IP: 70.35.203.135
From: DHL EXPRESS <alfredo.soria@dhl.com>
Subject: Confirmación de envío DHL Express
Attachment: gua de carga.pdf.gz (contains "taXvSy21KGwmeTI.exe")

AgentTesla SMTP exfil server:
mail.prozero-d.com:587

AgentTesla SMTP exfil email address:
security01@prozero-d.com

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

taXvSy21KGwmeTI.exe

Verdict:

Malicious activity

Analysis date:

2021-02-07 07:41:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/678f8abb-18d4-42ea-8db2-c3133fe39cf4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/115952/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45691438.6477.17765.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/601214

Signature

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/fca9c9be14541217929d625dd1efd04139b501d120a9a7a5b299fcd2a34973bf/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-06 16:18:19 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7su4tpqukqjbpeu5mjo5d36qie43kaorecu2pjnsth6nfi2joo7q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1c63fa7373f5f711ad83af0599a16ab33fcc40533c1b0d1ee7f0d0075b9ea079

AgentTesla

4574055c204f272af805107051d06291970dfa5e1f05fafd268f17b499b3ebf8

AgentTesla

48e8ff87262aacbe6b64962d5703ddf042e51bd5cd099bc787923ab33f172ccb

AgentTesla

7bca3fbd8dea9576f18a6764531822a69b7993ba7f37cf34b3e5ce62925eeef6

AgentTesla

ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821

AgentTesla

b90e0056190e4d819c069fc8577ba24a335caa720e88ee28317712005b735999

AgentTesla

b919c28c93fb3d1bc5bde1d2a76cb8c43685c89d77694f663bd6bb5ef68b74c3

AgentTesla

c57e0fc02e939ef6d9f2e1d92cd74d6ed7df502a1c2ded6e8ae68f6bc5ff3aec

AgentTesla

f0d974877788d51cac1ed85bc88b5a91ec314d44ce32893c0fa676bbad300fa5

AgentTesla

+ 1'472 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210207-m5zdtksdae/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720

MD5 hash:

11e80c54bfeff7f0c120dae46df0a8be

SHA1 hash:

d597b9b0dcac06f0aa00a931bb90de8eba564651

Link:

https://www.unpac.me/results/2fb41376-0f63-4b6f-bb5b-7793eec01948/

SH256 hash:

75e6087b2f572a95f01cdfa1ff7781765e4be89e36aab71ce852cc29c8929977

MD5 hash:

6cd80ba42518d8ada3253a8643920126

SHA1 hash:

8bbba473ed8daba886df9c3b68c464069875acb4

Link:

https://www.unpac.me/results/2fb41376-0f63-4b6f-bb5b-7793eec01948/

SH256 hash:

fa9b2af74188e60d4eeb65ee5bd3c09537a246ce448041a002dda17c83572b1c

MD5 hash:

0ee1c1adb57d1416647ae33dafc525cb

SHA1 hash:

23ea5e718c39ea6efc0b5e4e64c0ffeb20333841

Link:

https://www.unpac.me/results/2fb41376-0f63-4b6f-bb5b-7793eec01948/

SH256 hash:

fca9c9be14541217929d625dd1efd04139b501d120a9a7a5b299fcd2a34973bf

MD5 hash:

0cf1e4b8de0d3376eb4e3c050ed7e47d

SHA1 hash:

8dc353d5aa68852d71bcf5acb1dc3db96d1e408d

Link:

https://www.unpac.me/results/2fb41376-0f63-4b6f-bb5b-7793eec01948/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fca9c9be14541217929d625dd1efd04139b501d120a9a7a5b299fcd2a34973bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time