MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 077a49fa6f765eb57a0d3d10f72dcb11b63e6f53ea64945b0d6bb30046899bb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 077a49fa6f765eb57a0d3d10f72dcb11b63e6f53ea64945b0d6bb30046899bb5
SHA3-384 hash: e52a88df92384b29ff9422fcf7c42781db14d0e314a56853d5a0a675c54a67e54a249483fe2368cee0aa179008efad1e
SHA1 hash: 59e3a42dd8948a5799400ab4ed864991c94fc6b2
MD5 hash: 7141327bde320293461490470db1d1d5
humanhash: eighteen-harry-william-don
File name:DL-PR-0721-2021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:565'248 bytes
First seen:2021-08-31 02:16:53 UTC
Last seen:2021-09-05 05:30:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ecRQNM4MprP5svhDa0tPteBeX0Nv3N/kf5GdZCm15n9DxpWrdceQ:ec+M4+rP8hDVtPtvy8fwdZ11x
Threatray 9'162 similar samples on MalwareBazaar
TLSH T1DAC4D05C7654B1DFC867C8728EA81C64FA51A8BB830FD247A067229D9D0E9DBCF150F2
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DL-PR-0721-2021.exe
Verdict:
Malicious activity
Analysis date:
2021-08-31 02:18:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e07ba6d0-1ada-45d5-8838-90f4324948b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183924/
Detection(s):
SecuriteInfo.com.Artemis7141327BDE32.22213.19860.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7970dec9-3ec2-4287-8ef0-514da0e56460
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842210
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474641 Sample: DL-PR-0721-2021.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 51 smtp.codiis.com 2->51 53 us2.smtp.mailhostbox.com 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 7 other signatures 2->69 8 DL-PR-0721-2021.exe 6 2->8         started        12 kprUEGC.exe 5 2->12         started        14 kprUEGC.exe 2 2->14         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\gcQgalpaSHSSsd.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmp9350.tmp, XML 8->41 dropped 43 C:\Users\user\...\DL-PR-0721-2021.exe.log, ASCII 8->43 dropped 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 8->75 16 DL-PR-0721-2021.exe 2 5 8->16         started        21 schtasks.exe 1 8->21         started        23 DL-PR-0721-2021.exe 8->23         started        77 Multi AV Scanner detection for dropped file 12->77 79 Machine Learning detection for dropped file 12->79 81 Injects a PE file into a foreign processes 12->81 25 kprUEGC.exe 2 12->25         started        27 schtasks.exe 1 12->27         started        signatures6 process7 dnsIp8 45 smtp.codiis.com 16->45 47 192.168.2.1 unknown unknown 16->47 49 us2.smtp.mailhostbox.com 16->49 33 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 16->33 dropped 35 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 16->35 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->55 57 Tries to steal Mail credentials (via file access) 16->57 59 Tries to harvest and steal ftp login credentials 16->59 61 3 other signatures 16->61 29 conhost.exe 21->29         started        37 C:\Windows\System32\drivers\etc\hosts, ASCII 25->37 dropped 31 conhost.exe 27->31         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/077a49fa6f765eb57a0d3d10f72dcb11b63e6f53ea64945b0d6bb30046899bb5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 00:29:19 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a55et6tpozplk6qnhuipololcg3d432t5jsjiwynnozqarujto2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dea09c30d8e850fab893b3f17f9bad6898c7e77bb690ecfe523681ca0f07e95
AgentTesla
6ecabff170de8fd8dfe88313392add2c4a468177a8c37eed83b58fe77d8c882e
AgentTesla
7d4291707493bc84921a0832f42340e5377d0e58ce15e43a066ebd03f0c7c413
AgentTesla
9189313c82849b055af58dd07b281ab0f8cd50a9a043524fc0e2b3a02d961405
AgentTesla
9662d1e4c72efe73a1f203ebead6069990342a4da6314737e3a02b08e2d68075
AgentTesla
a3aa3605c436f4ef38f404007ce0305562def1f6e77f244232671b10914894f0
AgentTesla
cd4a0ce17e073c2e3e7405d079e763617bacbae2d439533e64495363808b5f2c
AgentTesla
ce8de6e2f70e2c2e688ef8dd1693a0356b01ce9a31e06a0b6cb11b8eceb2509e
AgentTesla
da33725694fafe69b0a72478a9741ae2eac9d294966f160204a93e27f711b514
AgentTesla
+ 9'152 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210831-q8yct4hcvn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/f50a0b83-16c6-4734-8c54-57966802941d/
SH256 hash:
78175c971ac282ced9c11f294d538b4d9f6b70a7f0b15a0e6215dc08108deadb
MD5 hash:
2177c689b6d604a6f1e5eb028919c688
SHA1 hash:
689d50636b626123f5a2ebfd5361ce2818b2a4ba
Link:
https://www.unpac.me/results/f50a0b83-16c6-4734-8c54-57966802941d/
SH256 hash:
c01cca1d613d6bea27d31091c5b9bbcb516ca5ae2780d9610811a866e5214d06
MD5 hash:
537eaccfd4d9905a8f363d48eddad6ad
SHA1 hash:
02ee9f629c3fb19e0d3685133b9465b40eb69b30
Link:
https://www.unpac.me/results/f50a0b83-16c6-4734-8c54-57966802941d/
SH256 hash:
077a49fa6f765eb57a0d3d10f72dcb11b63e6f53ea64945b0d6bb30046899bb5
MD5 hash:
7141327bde320293461490470db1d1d5
SHA1 hash:
59e3a42dd8948a5799400ab4ed864991c94fc6b2
Link:
https://www.unpac.me/results/f50a0b83-16c6-4734-8c54-57966802941d/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/077a49fa6f76/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/077a49fa6f765eb57a0d3d10f72dcb11b63e6f53ea64945b0d6bb30046899bb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 077a49fa6f765eb57a0d3d10f72dcb11b63e6f53ea64945b0d6bb30046899bb5

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/183924/

Comments