MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1374869c60aed3ac4e36b96fc525bc5b1a02f1c51a1eba44cfb46ede8c9b676c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1374869c60aed3ac4e36b96fc525bc5b1a02f1c51a1eba44cfb46ede8c9b676c
SHA3-384 hash: 4e7f291cfc44ff80ab42a2db1131a4c3502a6df9f110d53ffe72d1f0fe0dedef950b473ca0b8c1a0bac062f6b7b1c14c
SHA1 hash: 70da6a7e4cce9152821fb767f4ab5bc1a734bf72
MD5 hash: 65ba22e8c20d96fd3b3019102c93d898
humanhash: social-oven-summer-sweet
File name:MT Stolt Perseverance.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:909'824 bytes
First seen:2021-04-13 11:06:20 UTC
Last seen:2021-04-13 11:57:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:fom0f25GetxCp4tVLLvJSzskgGv7g+TGsv5Df5Dh+5ks5saY+FmmsSLbcDZFdcre:04GeJbP1GTys1u5xLAZNcrjTe
Threatray 3'917 similar samples on MalwareBazaar
TLSH CB15CFAD365075DFC96BC972CAA81C64EA6074B7530BD203A04716ED9E0EA9BDF101F3
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MT Stolt Perseverance.exe
Verdict:
Malicious activity
Analysis date:
2021-04-13 11:07:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74f8063e-6453-4f48-988c-15b06abfe92e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133947/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46086375.18763.25574.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/674179
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1374869c60aed3ac4e36b96fc525bc5b1a02f1c51a1eba44cfb46ede8c9b676c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-13 02:21:48 UTC
File Type:
PE (.Net Exe)
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cn2inhdav3j2ytrwxfx4kjn4lmnaf4ofdiplurgpwrxn5de3m5wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00f15693650f7e3640fd510852dc0301d357717a986a49c35b3b91d876df8d66
AgentTesla
0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e
AgentTesla
1a5421663abc706ce1c326cd443f5aba56108c99ef8e885261366aabf2e2f915
AgentTesla
26b048d3a6ed74b12a81a258814b966fa8176e18c4d88fa18ac1313903da2c45
AgentTesla
55dee6475ed6ea1cfb43a31212f428175352d010544945ad7cdc5341cc388da4
AgentTesla
5842f3956659c2e81a88473dfd7603182d4e43cd8120e24a61189e7a43541751
AgentTesla
672a61ad27f7bafa74b86dffa95262a18256d48cf3f1aa74c5b6907cefd9cad1
AgentTesla
90dea85ad9ae332c6f09cb3e9852515e3ae4eddf9e59b5aca5d0c7e94ab8bbbc
AgentTesla
af1d434f702045685e163c36d8d24098389e7675eed56ae34a90532764df2d3b
AgentTesla
f9ac482ceccf651bfb9fb322fb71f94a3ae3a64a2113541fcd888d40d305898c
AgentTesla
+ 3'907 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210413-ry6yw3131x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0c12024607f12073adb1a16eaaf61ee97f85f336f5f129d709f327468f21c7f9
MD5 hash:
a41b4b22ec47af2bb234c779b378b690
SHA1 hash:
e294ca47b887b7dcd0b1f0ae40fb442823cb913d
Link:
https://www.unpac.me/results/ea2a69fb-2137-4259-a4ce-5f3ca5001e8e/
SH256 hash:
33f6910ef6772505dc2a7a086ec1519ea97444220adbb7736f466290e16d819e
MD5 hash:
3380a30d26236f4468026f9d0356b5d7
SHA1 hash:
8b96298a26f07a9c92be6377d41ab6fe599deb2a
Link:
https://www.unpac.me/results/ea2a69fb-2137-4259-a4ce-5f3ca5001e8e/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/ea2a69fb-2137-4259-a4ce-5f3ca5001e8e/
SH256 hash:
1374869c60aed3ac4e36b96fc525bc5b1a02f1c51a1eba44cfb46ede8c9b676c
MD5 hash:
65ba22e8c20d96fd3b3019102c93d898
SHA1 hash:
70da6a7e4cce9152821fb767f4ab5bc1a734bf72
Link:
https://www.unpac.me/results/ea2a69fb-2137-4259-a4ce-5f3ca5001e8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1374869c60aed3ac4e36b96fc525bc5b1a02f1c51a1eba44cfb46ede8c9b676c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 16f5e4fef1fc1a5e98117413cbe7bcc5400f6713e28167656fd9e0f5927340cf

AgentTesla

Executable exe 1374869c60aed3ac4e36b96fc525bc5b1a02f1c51a1eba44cfb46ede8c9b676c

(this sample)

  
Dropped by
MD5 3081c419553c00d0e987b5b51c68b9a7
  
Dropped by
SHA256 16f5e4fef1fc1a5e98117413cbe7bcc5400f6713e28167656fd9e0f5927340cf
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133947/

Comments