MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09eca3324328da4f3d6d4f16b295e29aba08f5a78a82afcd0212554f4302deff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09eca3324328da4f3d6d4f16b295e29aba08f5a78a82afcd0212554f4302deff
SHA3-384 hash: 685a78566fac5847f00c9cb07346e27fa6e13df15c312b1497f32cce6fe726c36feb980404abde8e92bfb8bdba8585ef
SHA1 hash: c3248af594d3020180949e0e95ca4385fe01b693
MD5 hash: 81087691531e08f2aba6005afd38172f
humanhash: mike-green-mike-jig
File name:81087691531e08f2aba6005afd38172f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'884'424 bytes
First seen:2021-01-03 10:54:16 UTC
Last seen:2021-01-03 12:41:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 1536:8pOjbCI2JVTNmaN+W21bKPWyMzr/aWVTNySi+cUwUP8WUTUJUMUYUR21aURUPU4Z:K7I2J3mpJK428
Threatray 2'046 similar samples on MalwareBazaar
TLSH 7F952C156FD3254EF2F3E07612B19ADAAF39FA7A72405E0D825D2A550C03F862F83D16
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.everfastinternationalmovers.com:587

AgentTesla SMTP exfil email address:
mikescampagelogs@yandex.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
81087691531e08f2aba6005afd38172f.exe
Verdict:
Malicious activity
Analysis date:
2021-01-03 10:55:32 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/64028bbe-207e-4b26-b3cd-6142e23b32a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110343/
Detection(s):
SecuriteInfo.com.Mal.Gen.28695.6168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573063
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09eca3324328da4f3d6d4f16b295e29aba08f5a78a82afcd0212554f4302deff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-03 10:55:06 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhwkgmsdfdne6plnj4llffpctk5ar5nhrkbk7ticcjku6qyc337q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
113a77824329e62d8a2268075f4e8afa9756a9e134d46e87a61618d7b426b9af
AgentTesla
2bf325abeef3e5dbce3c2041a7e1bde3ae717a58b2ce07a0286855c22cab4bb8
AgentTesla
305a242832d3835e3960a83d2025b8b8ff26059a3915780f5f1eb85d121db9e4
AgentTesla
320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e
AgentTesla
4fc33aa81e0b49bc4bbeafb2d0485b238d8cb64d282c1f474dab1627a77559a5
AgentTesla
5df302032fa38879552d9a916c18d5e019fcddbed9447b53f75f9e4b1b08e7ab
AgentTesla
6b6a6cb45c75ffda98874ecb88f2fbc1ec1737222116967459117d6d8d36ecc9
AgentTesla
a7df178348dd3563a0a0a44ec82af4b6bc15bf352337ef690fac078cfee6ec49
AgentTesla
bd8670ff54fdb88e307e5997213a32ee95f922566923e7a645cbf120094cbbdb
AgentTesla
e788686b2a0e0efbf94e3f33a47e63494ca216e965191d82cd2922b8af6fe037
AgentTesla
+ 2'036 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210103-46kdd2gmln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
09eca3324328da4f3d6d4f16b295e29aba08f5a78a82afcd0212554f4302deff
MD5 hash:
81087691531e08f2aba6005afd38172f
SHA1 hash:
c3248af594d3020180949e0e95ca4385fe01b693
Link:
https://www.unpac.me/results/8fb03f7c-fa4f-47a6-a057-f182095def44/
SH256 hash:
802eb32f540d82d861f7e3a9115d08f0836185673ca7cb777caad47bba25df37
MD5 hash:
22452641dfa0e054c5ab26dac46d6279
SHA1 hash:
01fb488d1c2f6687481027607f5962f014f93900
Link:
https://www.unpac.me/results/8fb03f7c-fa4f-47a6-a057-f182095def44/
SH256 hash:
188bb2e75d8dda0e57bbbe1acbe8e338475b2ae5bea7e7a784e270215bbad1d6
MD5 hash:
f614bedf1f42fdb720e995fb2f542ac1
SHA1 hash:
944f9a8903876df49cbe220b68b3c706016a7340
Link:
https://www.unpac.me/results/8fb03f7c-fa4f-47a6-a057-f182095def44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09eca3324328da4f3d6d4f16b295e29aba08f5a78a82afcd0212554f4302deff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 09eca3324328da4f3d6d4f16b295e29aba08f5a78a82afcd0212554f4302deff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/945749/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110343/

Comments