MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5117eb684d040eb8b71762d4bf70e8e1aa0bb3b228246f5141a3beb4cdf0463. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 10


Intelligence 10 File information Yara 4 Comments

SHA256 hash: a5117eb684d040eb8b71762d4bf70e8e1aa0bb3b228246f5141a3beb4cdf0463
SHA3-384 hash: 002d66e88c8481e5523c048de55823b6f4daa513a698ab9f373855b2f87ac48a8acbb0ed78dea82450c7f4f6d76e3366
SHA1 hash: a4ca2077b7195c6e9cbcfe932275840b7a03e016
MD5 hash: a61eb173cdeb421cabc0d95adb600417
humanhash: march-nitrogen-cold-colorado
File name:yu6NsfbmMAuL173.exe
Download: download sample
Signature AgentTesla
File size:589'312 bytes
First seen:2021-02-22 14:31:44 UTC
Last seen:2021-02-26 05:34:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:rOxEye4yHHOFd0hp7tiN2OYD+bhsE/+MZKkhbS:rO1e4ynOFdYpwN0O5zF
TLSH A4C4125122E85716E0BDA7F9427052042BF6B94558B5FBAC2EC330DE6131BE0C9B1FA7
Reporter @GovCERT_CH
Tags:AgentTesla

Intelligence


File Origin
# of uploads :
9
# of downloads :
90
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
ID:
1
File name:
a5117eb684d040eb8b71762d4bf70e8e1aa0bb3b228246f5141a3beb4cdf0463.zip
Verdict:
Suspicious activity
Analysis date:
2021-02-22 14:55:06 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356117 Sample: yu6NsfbmMAuL173.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 8 other signatures 2->47 7 yu6NsfbmMAuL173.exe 6 2->7         started        11 IbdGY.exe 5 2->11         started        13 IbdGY.exe 2 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\gcRBzS.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpD2EA.tmp, XML 7->31 dropped 33 C:\Users\user\...\yu6NsfbmMAuL173.exe.log, ASCII 7->33 dropped 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->53 15 yu6NsfbmMAuL173.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 21 schtasks.exe 1 11->21         started        23 IbdGY.exe 2 11->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\IbdGY.exe, PE32 15->35 dropped 37 C:\Users\user\...\IbdGY.exe:Zone.Identifier, ASCII 15->37 dropped 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-02-22 12:33:27 UTC
AV detection:
14 of 47 (29.79%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
ac3638c4fd6737b6c1273e76c874d7e35c306ca4fd3b24afb08a47bdfd8f6843
MD5 hash:
49b1f34639bc0f83eea60b70e97bdcbf
SHA1 hash:
d2bf3acdbc6cea75717f9ec80852256ee1f0ab70
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
SH256 hash:
25df1a13e78dfade8d89eb525edf6b56715d6a055807bec3e16354225024c883
MD5 hash:
43e5aae555255d5b5dbd58dcaf20e820
SHA1 hash:
031cb764755f33ca805371613377a2a7c567249c
SH256 hash:
a5117eb684d040eb8b71762d4bf70e8e1aa0bb3b228246f5141a3beb4cdf0463
MD5 hash:
a61eb173cdeb421cabc0d95adb600417
SHA1 hash:
a4ca2077b7195c6e9cbcfe932275840b7a03e016
Threat name:
AgentTesla
Score:
1.00

Yara Signatures


Rule name:ach_AgentTesla_20200929
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a5117eb684d040eb8b71762d4bf70e8e1aa0bb3b228246f5141a3beb4cdf0463

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment

Comments