MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10d837595ce26853dd78280e3f465a4e18d04528d797fb3d5aeed3ce4a574cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	10d837595ce26853dd78280e3f465a4e18d04528d797fb3d5aeed3ce4a574cd6
SHA3-384 hash:	5adf78278699a91c3ee7bd42937de0527d905001f676d500e65fb67254880f6eb79f68c0261c914f3ec0bbf2bb035045
SHA1 hash:	57854ca48393eac977ae1bcaf411f92422776dd8
MD5 hash:	2f6f87450b276cfdc3931a8493ba6943
humanhash:	cat-video-cat-cup
File name:	2f6f87450b276cfdc3931a8493ba6943.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	922'624 bytes
First seen:	2021-07-13 13:34:00 UTC
Last seen:	2021-07-13 14:48:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:I4EV+HNomxX7wrnz13CyenX58jpdIL5R6AQszmhqwQzKjb3XNuARlw6DKiqmDraO:9JxrwrnzsX5/Lr6nszpU
Threatray	6'664 similar samples on MalwareBazaar
TLSH	T15315F398EB80219EEC16B9338554FB3097335CF2461F9D0650F3319A593A5C6CEB9BB2
Reporter	abuse_ch
Tags:	AgentTesla exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/171444/

Detection(s):

SecuriteInfo.com.Artemis2F6F87450B27.11728.27426.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/815587

Signature

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/10d837595ce26853dd78280e3f465a4e18d04528d797fb3d5aeed3ce4a574cd6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-13 13:35:14 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

32354e3b311d84b4cb17c5288b4a89d1ca1b84c9272781a39009598780520063

AgentTesla

33c6ab107de081461d6f7b67d5d120efc3dd15ba75351d9a564884d6368078fe

AgentTesla

56a11ac0cd03e932886e623809ba8e27f42e3d438e0b98fdfd56e41d8c38607d

AgentTesla

5e32b9920fbd332179288fbc1d5ed94f83e0cf164a28b8c63d20e5d0b8949f37

AgentTesla

7d34ebcd5418ad89a004b65ace563b8bea5a0e01da818e882f33b3e4545d9ccf

AgentTesla

7e238de9659253609e540c0eb5a60c3221aea8019bce929a65c185d29d4c2291

AgentTesla

b5073e328e1b5af6a324e5c9bbc92757f2bfe70b9522d83905e99d5d29fc3c9e

AgentTesla

e630cd1050328f6c1b58d793e13fb2a873bdb49c5cdd27d5762cfe6602c4f2a6

AgentTesla

+ 6'654 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210713-fw3mn1ttvj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1846926808:AAGk2IzxSb5N5fdYKiaTr2kIA9QAdWBcb1Y/sendDocument

Unpacked files

SH256 hash:

c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b

MD5 hash:

0327d1374a5ce015ad9c83c5de76e823

SHA1 hash:

e521349d9e96a4191248747c42c78b6f88fc8f63

Link:

https://www.unpac.me/results/9a0a8562-645a-4b42-948c-7c5234264125/

SH256 hash:

a7df6a79c98502b3a959a5c377eff909d988d78a735b079cdcaee5c5b4a0593b

MD5 hash:

b9833b3335469a794bc8bfcb1f9be680

SHA1 hash:

40d8a9ce419a16286a30361ec4355e7f618ba67f

Link:

https://www.unpac.me/results/9a0a8562-645a-4b42-948c-7c5234264125/

SH256 hash:

60479f2634bf1b22c214e4ce73d9e60142ce4d91559f6d95e14555449529ded4

MD5 hash:

9949a0d8c0e6b3babb8fef3192b8e3b8

SHA1 hash:

220ecff459ccae09d9675a3e6fe1110d1830f9a7

Link:

https://www.unpac.me/results/9a0a8562-645a-4b42-948c-7c5234264125/

SH256 hash:

10d837595ce26853dd78280e3f465a4e18d04528d797fb3d5aeed3ce4a574cd6

MD5 hash:

2f6f87450b276cfdc3931a8493ba6943

SHA1 hash:

57854ca48393eac977ae1bcaf411f92422776dd8

Link:

https://www.unpac.me/results/9a0a8562-645a-4b42-948c-7c5234264125/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10d837595ce26853dd78280e3f465a4e18d04528d797fb3d5aeed3ce4a574cd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.