MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 129ed69eb5b7fadeaf3d899a229ad0ee667dac59feef2ce7caeab874a2682d3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 129ed69eb5b7fadeaf3d899a229ad0ee667dac59feef2ce7caeab874a2682d3f
SHA3-384 hash: ab453a393510df3f6cbdfd23e02e3972a16c15e2b127dd73a53cb07d507fc26a9e459fe0d203857b028d69206ee62f57
SHA1 hash: c61acfa5c47bfbd8eaa3f1f5ed08407f6d6bf9c4
MD5 hash: 6d7be308caa355bc1b23adbcf18d2910
humanhash: twelve-april-don-don
File name:6d7be308caa355bc1b23adbcf18d2910.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:697'856 bytes
First seen:2021-03-18 06:49:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:9N4r582NHpuhO0Xb6pDv/pFhmuYu99qOri+T9lV2VQCcRq92IaUddddd:guhx2bp99bfT9lV2Bw
Threatray 3'297 similar samples on MalwareBazaar
TLSH CDE4F1A036F86F06E5B9B3F611A3914C2B79763BE272D71C9CC660CD2935F608615B23
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION.doc
Verdict:
Malicious activity
Analysis date:
2021-03-17 10:20:51 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/8931beab-d332-4e1e-935f-1c84dc8e90f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125399/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.582.16404.7434.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/643914
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/129ed69eb5b7fadeaf3d899a229ad0ee667dac59feef2ce7caeab874a2682d3f/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 11:54:12 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckpnnhvvw75n5lz5rgncfgwq5zth3lcz73xszz6k5k4hjitifu7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
172bf83e65684b1b9312684aa6cc37ddb15003b93fd80571fe4f9a8289d96da0
AgentTesla
4dad4127df36f1ff3db7fd7dcc70e776f043cb621e3ec297551ad1e187dae0a6
AgentTesla
6117ef5bdf129b7cc226a3bb9e3734f1b7502ab893603c4368685017f31a0677
AgentTesla
63fe4414329ce0fa71954c9d1a65a74d49457844fb1043b104f4cd64c832f84b
AgentTesla
66299f1d16eab2cca6ebe65ac3239ab8fb27ea535d2fa6e2f472554c311d9f07
AgentTesla
9aa6c787d3a660cebb293bc14105c5009859b92bc81e430df1389df113e9e896
AgentTesla
a554b6694b6441582dc4cb3ba9299627f1915e0fc790bcdb430b2088fde93cd4
AgentTesla
afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662
AgentTesla
b7bce95240078818bac8fe9b2ac1171c838845445f433e81c8eb819d746ab479
AgentTesla
d830adad4946e743cdc39b91ce67e2c3c0ff9aedda4cf205d1756ac45bb7b2e8
AgentTesla
+ 3'287 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210318-m53a8a9exx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
951bc716b3343f453ea34aaf76e2ec07de055be509eab3e31bd2d24eee7d16f3
MD5 hash:
6ffa9aa6878a5c73ab198c8cb5f3fe3a
SHA1 hash:
e92d663ca643ba43419476f01a53726ae7b9fa15
Link:
https://www.unpac.me/results/40581dc4-a1dd-48a8-bb18-d5866f1d1c63/
SH256 hash:
8441540296340f0d5586b738ba775e60ca81862aaf0be0841163e6c7cc176dc6
MD5 hash:
a7029ef0871e77df78584c77204e4876
SHA1 hash:
c6da40fb821e9a6b976cf01100834c67da9a26eb
Link:
https://www.unpac.me/results/40581dc4-a1dd-48a8-bb18-d5866f1d1c63/
SH256 hash:
1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc
MD5 hash:
8f85df46a482b5b068ae7667bf1a33d6
SHA1 hash:
a210d369311aa4d709dc962c634174738576907e
Link:
https://www.unpac.me/results/40581dc4-a1dd-48a8-bb18-d5866f1d1c63/
SH256 hash:
129ed69eb5b7fadeaf3d899a229ad0ee667dac59feef2ce7caeab874a2682d3f
MD5 hash:
6d7be308caa355bc1b23adbcf18d2910
SHA1 hash:
c61acfa5c47bfbd8eaa3f1f5ed08407f6d6bf9c4
Link:
https://www.unpac.me/results/40581dc4-a1dd-48a8-bb18-d5866f1d1c63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/129ed69eb5b7fadeaf3d899a229ad0ee667dac59feef2ce7caeab874a2682d3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 129ed69eb5b7fadeaf3d899a229ad0ee667dac59feef2ce7caeab874a2682d3f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/125399/
  
URLhaus
https://urlhaus.abuse.ch/url/1072881/
  
Delivery method
Distributed via web download

Comments