MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99876ee50802848768d32d6cd179141603d76259e33c223b47204e33ef4b416d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	99876ee50802848768d32d6cd179141603d76259e33c223b47204e33ef4b416d
SHA3-384 hash:	14337d906a2d8c10e4a381832dae97c1ceda2e07ec089067a4560247eddbf28efac6610d1ead99ba2272d2ea5c65601e
SHA1 hash:	4a34825946a8c3ce267ecb6cf27d8d9b212344a6
MD5 hash:	d0bed35c9c0c8978d426739cda487034
humanhash:	nineteen-friend-cold-montana
File name:	SecuriteInfo.com.Trojan.PWS.GrandStealNET.2.14775.8071
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	731'648 bytes
First seen:	2020-08-01 13:28:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e94294aa486edca6180033051104c39 (5 x AgentTesla, 3 x MassLogger, 2 x NanoCore)
ssdeep	12288:R1i+/Z6i2pC138ktn6gCA4iFsrnTp1zPgcERidDQEBVBhYcGAyJiKpAc4ld:jNZopgQgY2O9IcERidEEBScG5pWj
Threatray	11'771 similar samples on MalwareBazaar
TLSH	5EF4AFF2B6D0D437C26F16F98C0B9764E83ABA101A2914B62BF50C4F8FF968135E5197
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/36888/

Detection(s):

SecuriteInfo.com.Trojan.PWS.GrandStealNET.2.14775.8071.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/406585

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/99876ee50802848768d32d6cd179141603d76259e33c223b47204e33ef4b416d/

Threat name:

Win32.Trojan.DataStealer

Status:

Malicious

First seen:

2020-08-01 08:11:04 UTC

AV detection:

42 of 48 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tgdw5ziiakcio2gtfvwnc6iucyb5oysz4m6ceo2hebhdh32lifwq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

24154b374505bf76998acbeb5dafbf42a61a516234f2f1b708784ec3669bfbd1

AgentTesla

311380e373e370131734bd5c65fe3b8a8b2862fc7049692e92ac12703487edc7

AgentTesla

367d1fd29045416d80d3b22efd7b0684601c184ea06cbeffad5b4562fcee0533

AgentTesla

3d604878a1a81c85be92fc830d195e4503cf17c9e8cd3e6778e2f4c3cf14c83c

AgentTesla

7f0bd5d4fdb77f5c7944ba26cf6028a8f7f3f92e674611385f6cdd1e5258708d

AgentTesla

93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662

AgentTesla

9f0c636096918ffd81f45e54f65d8992726cbfbef9a8d087476ab5360590d35d

AgentTesla

bee273e8651fb168e330da50d83a3e4ad3769692d365d20f0cd9e1afbe13bcb0

AgentTesla

e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc

AgentTesla

+ 11'761 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200801-z7cps5hnbn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/36888/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample