MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 934982623de62355613d2c7e8f8d1edee0a5db84c99636fb9ee543e7cfc6a079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 934982623de62355613d2c7e8f8d1edee0a5db84c99636fb9ee543e7cfc6a079
SHA3-384 hash: 87eb413d839639ea4d9a989dd9bde83fc08a512989c24884923b60a8d949da91a365ff2b2d9d3dfd41b39d53635de6af
SHA1 hash: fe4f449016a6c8fc0e3517d40dd5d7b4b68ae42f
MD5 hash: 2121dbe8a73e96250eabdfaa102b43eb
humanhash: nebraska-social-mexico-avocado
File name:princex.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:947'200 bytes
First seen:2020-07-09 13:52:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e335e0f383b17202864efb975d29d538 (14 x AgentTesla, 6 x Loki, 3 x AZORult)
ssdeep 12288:xVDQmQK44+3gCiU24vBV3RpqTf5RqH+YalI3QmMTP/DsgeA9Gv0+SHrZCkHvBdWo:TkAVCi74LofeHXecQmiDXeOCSHrwK6Cx
Threatray 11'147 similar samples on MalwareBazaar
TLSH 87159D22B3904433C1631A3D8D5BE778982ABE712E28BA4A7FF55C0C5F3A6413975397
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23885/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.14887.31971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Reading critical registry keys
Launching a service
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/934982623de62355613d2c7e8f8d1edee0a5db84c99636fb9ee543e7cfc6a079/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 13:52:19 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sneyeyr54yrvkyj5fr7i7di633qklw4ezgldn6464vb6pt6gub4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0dde348228b5ad99d94e434be378b31e114ec0dbb9a008db1218d3a349ceea8b
AgentTesla
3147804cd376f42bc7b89614a40adf096b91391c1f768e9926b69951f8e09db1
AgentTesla
3a052762219035c320097a6a2c59f3023b69ed8022d1b4cf100aafe3446c9698
AgentTesla
46e4f16115ed5c3689638efe671b3b8d9fa2deca92afcab330d31f99a5fb1850
AgentTesla
775f508ce9aa128d16970e85f0b02f8f200c50dde94a1e345621069dd7042330
AgentTesla
ae451bf0f958bf82ce70a55e5e0af6fbb70f1b06cd0bacb5bdc196c16f6da11b
AgentTesla
b3bf1c568dfbb2a1af09b07eb0a7aff6e2d7addbf3c51e4c6850ebc96afd103e
AgentTesla
ead74c9cce8a3bc5dec5f0bc9f860f90fcd6791cdacce3ecd59e3e96ac0035c9
AgentTesla
edd3a9064d9828a06d55be4ea729afe1847c1ea5190287469ee8ed2088c018b0
AgentTesla
fcbb5d4d6c4a961d1faf8ffd19547765cc67b6cb7d6ac05006ef651c55d66774
AgentTesla
+ 11'137 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200709-rgmttmrjpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/23885/
  
URLhaus
https://urlhaus.abuse.ch/url/410522/

Comments