MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10af6de01d9a3c0ec83fc5000aef4d99f2be29e6215a799ee0db880ce9c67fb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10af6de01d9a3c0ec83fc5000aef4d99f2be29e6215a799ee0db880ce9c67fb7
SHA3-384 hash: 546548f86d5db7553a13b2f0e6df908014aadb6e597295785ee7cda5d1e22a5c4437dcab48128695f9e4929db90e4880
SHA1 hash: 53e160cd076750375611507dec96ddee2d20a849
MD5 hash: 31679ff789315329e4e0a3edf357e96d
humanhash: may-alaska-carbon-hamper
File name:31679ff789315329e4e0a3edf357e96d.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:839'168 bytes
First seen:2020-07-20 14:33:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:IrMnqjzGYIdjMxMSo15GXacXYp3uyAjrMnnma2k4zUpKPyVF5hTEP3K4vwBkbQjP:IrvxguwcLjrRqVqP3jBQ
Threatray 10'633 similar samples on MalwareBazaar
TLSH 84053AF79B4D81C2C8AF9EBCC48207710997ED85F0F5A60B03667C363676BA0D88556B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
bh-58.webhostbox.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29216/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.68771.15344.18859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391793
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248254 Sample: 5wqWSDYiP3.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AgentTesla 2->35 37 Machine Learning detection for sample 2->37 6 arnold.exe 3 2->6         started        9 5wqWSDYiP3.exe 3 2->9         started        12 arnold.exe 2 2->12         started        process3 file4 39 Multi AV Scanner detection for dropped file 6->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->41 43 Machine Learning detection for dropped file 6->43 14 arnold.exe 12 6->14         started        27 C:\Users\user\AppData\...\5wqWSDYiP3.exe.log, ASCII 9->27 dropped 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->45 47 Injects a PE file into a foreign processes 9->47 18 5wqWSDYiP3.exe 2 15 9->18         started        21 arnold.exe 4 12->21         started        signatures5 process6 dnsIp7 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->49 51 Tries to steal Mail credentials (via file access) 14->51 53 Tries to harvest and steal ftp login credentials 14->53 55 Tries to harvest and steal browser information (history, passwords, etc) 14->55 29 bh-58.webhostbox.net 199.79.63.24, 49721, 49722, 49723 PUBLIC-DOMAIN-REGISTRYUS United States 18->29 23 C:\Users\user\AppData\Local\...\arnold.exe, PE32 18->23 dropped 25 C:\Users\user\...\arnold.exe:Zone.Identifier, ASCII 18->25 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->57 59 Installs a global keyboard hook 18->59 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/10af6de01d9a3c0ec83fc5000aef4d99f2be29e6215a799ee0db880ce9c67fb7/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 14:32:47 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccxw3ya5ti6a5sb7yuaav32nthzl4kpgefnhthxa3oeaz2ogp63q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3ccc1c2dac5ed7831c10eb78eec7881b1f282e0c2c232602f78845661aaedc5f
AgentTesla
55dda2889a2fae3ddbe54c70a6ff687d366887a672502d00513543bb9aa482f3
AgentTesla
56fbebdb22c7244e81aefb20b4a95c1e7fa95791c3d22ffa92676bf1e668952b
AgentTesla
5b4fbcacc1b3bc337a2c67318ff72d21f2c286c00472a8cb3c49bb0d19c2507a
AgentTesla
6b2503a98a3f1b29173e7e42867b4ac5e21a825348b791ad4a6ea12966720514
AgentTesla
97e6267855cefb9ff2f241573427435337aef6acc035121a2e0a098a6f6b58f6
AgentTesla
c79e56ff3aa04021d7c99b5d638034780cafce941ff6039fb3bae407c1257e54
AgentTesla
d09db6d2d1ffe48600422f7d17e18e62233a505fa78339f3805ea56cbb5fbc61
AgentTesla
f7fe3c3f88aef6e3994fb4fd091930f5870998c1de9785c65b1294718563af97
AgentTesla
fb36e4d451d873356360a81436a985e64a97299bed171be05b7deec349ddd519
AgentTesla
+ 10'623 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200720-54hrx2n4a6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10af6de01d9a3c0ec83fc5000aef4d99f2be29e6215a799ee0db880ce9c67fb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29216/

Comments