MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 045b92b336103f95c9a5acff35461d8eb69bbf9aaed8158787362e2853a50e4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	045b92b336103f95c9a5acff35461d8eb69bbf9aaed8158787362e2853a50e4c
SHA3-384 hash:	6952a934e3279cb91413ac94523b1bd9bc8d2ef1405512c1bc9872a65dc2365c8129518d118143df0ed6f899654f38e2
SHA1 hash:	e122c2a58de70c1f6691afdd73b07cc74679a4c3
MD5 hash:	77f555fb641be688c931468dce8ebce1
humanhash:	west-three-vermont-alaska
File name:	Swift209832.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	518'144 bytes
First seen:	2020-11-26 07:08:57 UTC
Last seen:	2020-11-27 14:05:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:DTb4JO36rN2iNVmlCTaO/kTa2t8deLARHmFt8LF:Xb4JO3sN1fmyoPt8Iw+8
Threatray	1'522 similar samples on MalwareBazaar
TLSH	CBB401726692FF9AD77A5FF1A52166402FB8385BE920D60C7ECC01CE0172B848E15E77
Reporter	cocaman
Tags:	AgentTesla exe SWIFT

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/547849

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/045b92b336103f95c9a5acff35461d8eb69bbf9aaed8158787362e2853a50e4c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-26 07:09:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=arnzfmzwca7zlsnfvt7tkrq5r23jxp42v3mblb4hgyxcqu5fbzga._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

40fe69be55041a8607bf2596d0fa649ab26f6d6bd6973fb955f14f4e8a066b6c

AgentTesla

4415d19e0b69bdccf79c937db6fe491c4875367cc3ad808b233fa606c708c18b

AgentTesla

5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27

AgentTesla

6abf5552765851e4db6d8346af1473568c7d1497fd848648e32bd1c5c8d8cb2f

AgentTesla

ae6c488302c04f00a60835db6b955fb8e1eb42f0e73e71873f5b7dc630596755

AgentTesla

bacbd1e1b139791f7ca8eeba6a14cf7b34c9c010aca5ce7eb527aea212448868

AgentTesla

d346086418bbd48dabcfb8ea48bad551ec66d79c3c0a2e198cd3a1083a80057f

AgentTesla

e13107c64261638ea91a7c3df4d1eec7153e1eab218b10fd027ddb0f52b95418

AgentTesla

f148b6ad99c39c47a48a82fc4959b98ccfed28b35556ea3e0f07d0b8911d5e15

AgentTesla

+ 1'512 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201126-3s83lzslhs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

0f038f173adfb4fed093661e1384813095619a0ec46fd1e744c0cb1c953f085a

MD5 hash:

dc8c6c5650df345ab85a332502a8fdf6

SHA1 hash:

28908e4f000aa302f7ff86e0483ca508ec547c57

Link:

https://www.unpac.me/results/83a3c1d3-9778-4653-907d-5fcb1d5b4010/

SH256 hash:

4b625ab20db54a36069040ea780346242ee732ce509373a30f04533e05c44535

MD5 hash:

68bc7f4b55daa2c0d634018674ca638c

SHA1 hash:

7bef50f4aefeafc14766a2a41a8c11e2970ef2c9

Link:

https://www.unpac.me/results/83a3c1d3-9778-4653-907d-5fcb1d5b4010/

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/83a3c1d3-9778-4653-907d-5fcb1d5b4010/

SH256 hash:

045b92b336103f95c9a5acff35461d8eb69bbf9aaed8158787362e2853a50e4c

MD5 hash:

77f555fb641be688c931468dce8ebce1

SHA1 hash:

e122c2a58de70c1f6691afdd73b07cc74679a4c3

Link:

https://www.unpac.me/results/83a3c1d3-9778-4653-907d-5fcb1d5b4010/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.