MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04cdbb87050fa773ed542d18c1993851661cdebcd06acb6af05bd9e03d14a1c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04cdbb87050fa773ed542d18c1993851661cdebcd06acb6af05bd9e03d14a1c8
SHA3-384 hash: d43977e8a7e2ba1511e6ac51259706ba582ad6d764353350d0ecef9cf3ce0332c04ff375626d55a189567e226f772187
SHA1 hash: 3abb4b3cb1ad4d12c81d611623973e8401e3e23b
MD5 hash: affd8e6bdc328d5db92a6ae4d210f916
humanhash: comet-rugby-alaska-spring
File name:affd8e6bdc328d5db92a6ae4d210f916.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'111'552 bytes
First seen:2021-07-21 18:07:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ByhdsIbEsKrvDBa1LA/tLoE+Ch5sjmWFlivLXZjTVhYWX:LNmc9oLpOvLpn
Threatray 7'174 similar samples on MalwareBazaar
TLSH T1E235D02363177B48EC7CC3B96915A045AFF5B407C31ED65C3ED8B0E9A871F259BA1A02
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
miratechs.gq:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
product list.doc
Verdict:
Malicious activity
Analysis date:
2021-07-20 12:03:51 UTC
Tags:
exploit CVE-2017-11882
Link:
https://app.any.run/tasks/4d476b13-cc0a-49dc-8a7d-2c48dc25a40c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173091/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa3e7d9e-a228-44ff-bf97-855f644161be
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819679
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04cdbb87050fa773ed542d18c1993851661cdebcd06acb6af05bd9e03d14a1c8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 13:54:48 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=atg3xbyfb6txh3kufummdgjykftbzxv42bvmw2xqlpm6apiuuhea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
084cb2109cff42297ef1b5982900b2022ccc35210cff2231f95acc0aec4e8e36
AgentTesla
305ff91660cc5f742e0689b4e929725c874941242ffffb85247dde1b84ca8e79
AgentTesla
395dad1531c80f5fabc1f7d58b4ac12c7652fc5075f1d3cf6d86cb77c07dff87
AgentTesla
579ce1cdef20d3892cec5362aaf049ef10086e3c638a756fab24f1f32ed37161
AgentTesla
8ff564a57fcca6daaa6319451c7ccb61537b02b513b8b262a5f76348b70d0287
AgentTesla
9713a28e0645cc77089dfd921118db8827de0a8b7e8196d653da2002646bd3cf
AgentTesla
b291d719522053a662cadd70b131668a1d953d4c4dd648e8a5647b689eb6341d
AgentTesla
d4a810dc5c1bf6cfcedaf05d46a9230250ce314cc19082ca044763dcd9ff7135
AgentTesla
dfe19acb83c53bf3fd25bea127cf728c9140cf48d6a55e51b76cef0e92a03d1c
AgentTesla
+ 7'164 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210721-ybkedlr5m2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ecf791ec0de85a162178da8926d413bd94bb399a9079fd8ad7716f536b3425b4
MD5 hash:
cede019894c30398b0815204818a6a79
SHA1 hash:
c49b97ec3ee0218ceaf8226e6178961e61e64915
Link:
https://www.unpac.me/results/b63d1c4c-5486-43d6-ac0d-dacca29e3492/
SH256 hash:
c0db2ac401ccd8800a262ac30751fc79060a34f5181ee6b9a5a1c6e0af17d67c
MD5 hash:
2c5b225bec6344bab56982c138625321
SHA1 hash:
5e94c6705b7328f5e727aef411541e03ca334892
Link:
https://www.unpac.me/results/b63d1c4c-5486-43d6-ac0d-dacca29e3492/
SH256 hash:
e741550c7fb5da1a1d8d726580f3e31e0d57562c643d991359c4086ce7fc359a
MD5 hash:
c12a686b81be309e4cf59e2ccd68a106
SHA1 hash:
20294fade9c88eef3ecc09795a35293a1fbc2a78
Link:
https://www.unpac.me/results/b63d1c4c-5486-43d6-ac0d-dacca29e3492/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/b63d1c4c-5486-43d6-ac0d-dacca29e3492/
SH256 hash:
04cdbb87050fa773ed542d18c1993851661cdebcd06acb6af05bd9e03d14a1c8
MD5 hash:
affd8e6bdc328d5db92a6ae4d210f916
SHA1 hash:
3abb4b3cb1ad4d12c81d611623973e8401e3e23b
Link:
https://www.unpac.me/results/b63d1c4c-5486-43d6-ac0d-dacca29e3492/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/04cdbb87050fa773ed542d18c1993851661cdebcd06acb6af05bd9e03d14a1c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 04cdbb87050fa773ed542d18c1993851661cdebcd06acb6af05bd9e03d14a1c8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1450194/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173091/

Comments