MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527
SHA3-384 hash:	a36e48cda33e27b5b290425f230495054b3381a2bf57766a613d61c54cb596eddf9fa4cff72434087aa945b5a5db09e7
SHA1 hash:	bb67f173ce0d87ccc68bdf4be045efee4abd4737
MD5 hash:	6ba502f3bd93126cd7439d6e15da6893
humanhash:	iowa-queen-pizza-artist
File name:	0001.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	592'896 bytes
First seen:	2020-10-21 09:43:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:oZdVUK9ROZOFqorn0eONtpDwgQ70nYfYFFZOdAUP7Pxe:xKa8qCDgiGFZqJ
Threatray	757 similar samples on MalwareBazaar
TLSH	5AC4E1359664DF21E0BE4376A465180017FDEF06A33AC62EBCFA31CD6576BE04162F1A
Reporter	Racco42
Tags:	AgentTesla exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505539

Signature

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-21 06:35:02 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ba2y2cqvqs7phwb6ji6jtumg5ady2omphv4bnx3rimk6wpai2utq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

20c0aebe7cad9faafeff8655a50fb31ef9e91208f17035f3b90b91ab8fce0e86

AgentTesla

5193daa3e21a010020f044a9167f141a4c9e62d8f19b21dc82049045a2fbee48

AgentTesla

69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425

AgentTesla

7f717f3d6242070c4f59575f510fa366e5cbd6c17ad484c0735fca89e365a351

AgentTesla

8348c6c60034429d7bca499c5cfb52d04f0705cda36665cbff5db267958811ef

AgentTesla

9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab

AgentTesla

ba495069a1b601a12f32f6e346dfe60958f73caa0048fb702e357fee17d58d54

AgentTesla

c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a

AgentTesla

fea590dbb8987a6358d6708c5728826c5dc44c943ff4145ab1bc6d110c03e13c

AgentTesla

+ 747 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201021-3v9gwgqern/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

f6639e093d72133b41c6293def1680025e4d2c220167600c9c0f60d3083ac979

MD5 hash:

25dec588b325848e061a8686391bcff3

SHA1 hash:

16324eb7db79457726f84414432ad7fcf8b57b8d

Link:

https://www.unpac.me/results/8694aa1b-bf1d-4e44-8e29-fbcdf2a6efa2/

SH256 hash:

bfd4913072e690c69512cdaf64a521b790abfdbe73ce48930168951ee7c733c7

MD5 hash:

94ce04fda8d5858536beffc0cd303c89

SHA1 hash:

85bc7342225ccf5e15a67555779dbb6aacafb9b1

Link:

https://www.unpac.me/results/8694aa1b-bf1d-4e44-8e29-fbcdf2a6efa2/

SH256 hash:

b8dc7a502859b21f87a951db8041602c1be124f15876e5e117b64600868be020

MD5 hash:

07eb1ba343a503615ce480cdbeca26ca

SHA1 hash:

98a66cf550c96d3ed6a577936846af7e44bfeabc

Link:

https://www.unpac.me/results/8694aa1b-bf1d-4e44-8e29-fbcdf2a6efa2/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/8694aa1b-bf1d-4e44-8e29-fbcdf2a6efa2/

SH256 hash:

08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527

MD5 hash:

6ba502f3bd93126cd7439d6e15da6893

SHA1 hash:

bb67f173ce0d87ccc68bdf4be045efee4abd4737

Link:

https://www.unpac.me/results/8694aa1b-bf1d-4e44-8e29-fbcdf2a6efa2/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/73944/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample