MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04011c1270f49d82c05e80b9702130e0b62acaf6dd62b46c148a383da5b3e51a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04011c1270f49d82c05e80b9702130e0b62acaf6dd62b46c148a383da5b3e51a
SHA3-384 hash: 2e7ec12b9811fdb1ad6f52967134ba97acc4b5f6e2a83247b42f9a09ec461080966c109e075bd9da50ed38122baaf64a
SHA1 hash: 7d19f67d510dfbe000f269380f6707b19c7f8f63
MD5 hash: 59ba6adf9c7228806115c4c5c102090c
humanhash: mockingbird-chicken-sink-king
File name:59ba6adf9c7228806115c4c5c102090c.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:681'984 bytes
First seen:2021-02-17 09:04:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gBG3vLp08SgTjaU8ItOT02hvH/jUXaKYVmRY25M9xY55KIyyil4IogW15WmCLw4M:2oK8nT7K047UX2oY8MaUFXl4IogWfu
Threatray 2'672 similar samples on MalwareBazaar
TLSH 71E4CF9C32A07AEFC55BC6B6DA682D60EB2035BB971B8347951341B8991C6C7CF141F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.sky-qrp.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://198.23.212.246/capi.exe
Verdict:
Malicious activity
Analysis date:
2021-02-17 07:45:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bea3bf2e-5f2a-4a32-816a-8dfce316f026

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117537/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/609991
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354018 Sample: yTPzcGHfBU.exe Startdate: 17/02/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 3 other signatures 2->55 6 yTPzcGHfBU.exe 3 2->6         started        10 YYtJku.exe 3 2->10         started        12 YYtJku.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\yTPzcGHfBU.exe.log, ASCII 6->23 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->59 61 Injects a PE file into a foreign processes 6->61 14 yTPzcGHfBU.exe 2 5 6->14         started        19 yTPzcGHfBU.exe 6->19         started        63 Multi AV Scanner detection for dropped file 10->63 65 Machine Learning detection for dropped file 10->65 21 YYtJku.exe 2 10->21         started        signatures5 process6 dnsIp7 29 sky-qrp.com 66.70.204.222, 49761, 49763, 587 OVHFR Canada 14->29 31 mail.sky-qrp.com 14->31 33 192.168.2.1 unknown unknown 14->33 25 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 14->25 dropped 27 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 14->27 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Moves itself to temp directory 14->39 41 Tries to steal Mail credentials (via file access) 14->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 35 mail.sky-qrp.com 21->35 45 Tries to harvest and steal ftp login credentials 21->45 47 Tries to harvest and steal browser information (history, passwords, etc) 21->47 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04011c1270f49d82c05e80b9702130e0b62acaf6dd62b46c148a383da5b3e51a/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-17 09:05:06 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqaryetq6soyfqc6qc4xaijq4c3cvsxw3vrli3auri4d3jnt4una._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
261036c3c84844bc59b94e39261363d6d9443350e27e1fd4fa8e7716ab6a2e83
AgentTesla
2aa2a644cc059d9314a783e295e4c35102ffce374e2bf1b49f8fb8631ffdbb65
AgentTesla
43dc584275e87192148542ab82f312d5c809444982536a6403898804a50c72a1
AgentTesla
4a02a5be4110a5eac3e639deaecb4f134dc1788a4623b1d6a92eea75cdf6f31e
AgentTesla
588719d73e00a7f2f1cf0c2790b556383999dfb6cb94cef090f4b78808bd24b8
AgentTesla
8b9abfcdfed4c5a95b6425c5ca75d7b0a17e43e42d6f78cca6f7d8e8c2d7a967
AgentTesla
c8b97cffe50d47dbbd7b9b1d13f0155709130a76bb87db3eb1fba12d3dc24705
AgentTesla
cef56d366215b19ced11fd5b418f74cc165a6fa3b122ac562bbbdde6f0d1a07a
AgentTesla
d9b7bb2c86f319f087b2e08d9097639b134acff8298e28a736a103e4eb3a6cbf
AgentTesla
ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df
AgentTesla
+ 2'662 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210217-99w1vnfjjx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
699e040ae8d267f6f66917a53496519e5135bed26dec3027ef4697c29b245495
MD5 hash:
40887e2207767c8e1bb7265fedbce973
SHA1 hash:
17d7ec194125f2b92af1dd3d3431e44f1fff5d68
Link:
https://www.unpac.me/results/25de1f67-8058-41c7-a6d3-6fb108648daf/
SH256 hash:
0629dc6a0926a89f4b5550df5b018804a9a724a04bc0ace1f4df81e5496887c0
MD5 hash:
a769d9def50a861d2b70c9ec875e3709
SHA1 hash:
8dc1582cebb785d8ecf103e2aba510fa5c67c3b5
Link:
https://www.unpac.me/results/25de1f67-8058-41c7-a6d3-6fb108648daf/
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/25de1f67-8058-41c7-a6d3-6fb108648daf/
SH256 hash:
04011c1270f49d82c05e80b9702130e0b62acaf6dd62b46c148a383da5b3e51a
MD5 hash:
59ba6adf9c7228806115c4c5c102090c
SHA1 hash:
7d19f67d510dfbe000f269380f6707b19c7f8f63
Link:
https://www.unpac.me/results/25de1f67-8058-41c7-a6d3-6fb108648daf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/04011c1270f49d82c05e80b9702130e0b62acaf6dd62b46c148a383da5b3e51a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 04011c1270f49d82c05e80b9702130e0b62acaf6dd62b46c148a383da5b3e51a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/117537/
  
URLhaus
https://urlhaus.abuse.ch/url/1015323/
  
Delivery method
Distributed via web download

Comments