MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f
SHA3-384 hash:	67edf595261d1943422acf0e3d085d15cd8be8da4c7825515eca9b760cb94b06525c55d54835b2f8080afecf3a608597
SHA1 hash:	03a2f452597d0127b148b0143cdee1c3012991fa
MD5 hash:	cc1f938d9a66958e2113a80e7c5f08b3
humanhash:	september-maine-summer-romeo
File name:	PO-I20100309.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	565'248 bytes
First seen:	2020-09-18 12:57:19 UTC
Last seen:	2020-09-18 13:38:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:HZz7hA++rQksppuYE1UxOzQmfqfPTrF4ilLptC0I7d:LARrrCZE1jfoTr2ilLj4
Threatray	58 similar samples on MalwareBazaar
TLSH	82C4AD1031AA7B0AE5788BF80204B472D3B5582A3256C6C47F8336FEA5F5BD07E65B47
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.23275.31852.21326.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/469951

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-09-18 10:19:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7vbhzlxj2fmmysf2tnna5tjsiotxwnkpa4zbux4a4x643yl25wpq._file

Verdict:

unknown

AgentTesla

37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b

AgentTesla

3a8afa181b83a479c7c476791061dd4a7df56a59e21bcb72f0c8a32d76b66d5b

AgentTesla

614052880e43375009bd02fcb10e8399d2e855cff58fc27ad94711dee1973186

AgentTesla

7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873

AgentTesla

93d22d39577ab983c75badd9019b57420a4e2bfc300d6a37d90885d823396058

AgentTesla

954bbd9e612117e2fa3f8c71e72ca98461f7ec20fc028d9910f8629cd170ec2b

AgentTesla

b98ed6a71c93bc3722112643bea2bbe8767e016d807e0463266ee2fd47ad9e80

AgentTesla

c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd

AgentTesla

f03aa3254a964c676c99d1b2e96ef0e84d4c81e3b0885debf8e49f731c3d4779

AgentTesla

+ 48 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla persistence

Link:

https://tria.ge/reports/200918-7ayyl9lzje/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 3d43eea70e627860268148bbb8c8ae853cf19c01f6b36c2ee1a84f0e5e2a40ac

AgentTesla

exe fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f

(this sample)

Delivery method

Other

Dropped by

SHA256 3d43eea70e627860268148bbb8c8ae853cf19c01f6b36c2ee1a84f0e5e2a40ac

Cape

https://www.capesandbox.com/analysis/63421/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample