MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e
SHA3-384 hash: d9cb0fa274c40c559b1194b317db73f67fed8dc5dd769fd527c2844aaf86c1ea53ad5e15ee46f7160f64589d59cfa5b8
SHA1 hash: e4fb1871b21fdfa9beab676cd58a70f551930f7e
MD5 hash: 5ca041632c9d92d36de6bbf016307719
humanhash: leopard-idaho-wolfram-butter
File name:JTC20-PO074.075.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'217'536 bytes
First seen:2020-12-18 06:37:09 UTC
Last seen:2020-12-18 08:41:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:gQAnPK73wqJrGFem41Ic60+rVIx0JFCt8sc+WsU+sgGV+kICJrRy:ZwqJrGY1Ifv5IazCncVosgGVmId
Threatray 1'877 similar samples on MalwareBazaar
TLSH 2C458E102FA52B69F03EEBB596D86085D7FEB227F715E84B3C9103C60A52F41CE5163A
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JTC20-PO074.075.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-18 06:37:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ebb0b52f-7149-4f0e-8262-d3c9254290be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108400/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35761411.7630.27372.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565952
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 22:41:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=czazjqen2uzbdswh7fseq3zn7pm4dsfuzt4yakenaq7tkrghmn7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
294d3baa6d4e6b9d6e55fd9c67072d0d27f3786a4abb6b27c32fa977778fd94e
AgentTesla
29606f35cd9ea80936304ef255b1962b8ba4e20a97e40cadabb37da6785c0ff9
AgentTesla
38ed7c72a2e50891a633f64047a2a6ce5303c451a1e676a26f300d7bdd90138e
AgentTesla
92d9b1922bebbb60f7ca75eb99220f92bbdf687af32a4a966ec90fd562dfe96e
AgentTesla
961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0
AgentTesla
96b93e42d633a412f50572331b8b866baf01a3a14bf1f8fadb2d7d9644febaf3
AgentTesla
bac72d66599569fb9217e714c2da097b12285efe1187515dda1f89ec5b4933b3
AgentTesla
d3ab51dd012ef279251684ea215a050cfe913de2237daeebfbb2d52ceb5c896b
AgentTesla
fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1
AgentTesla
ff212016b3815373f569019169d3685deb1fea8c6d61f61df4e5dbbda08b952f
AgentTesla
+ 1'867 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201218-jjx7mqjr4a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e
MD5 hash:
5ca041632c9d92d36de6bbf016307719
SHA1 hash:
e4fb1871b21fdfa9beab676cd58a70f551930f7e
Link:
https://www.unpac.me/results/f1e4f5a5-f241-47b4-92bf-3437395faf05/
SH256 hash:
7822bc2654fc6ac872f8a66ae6fecbcfd4e0dec1bb5ddaff68a703651cf79b7d
MD5 hash:
17de35dda19007bcea61aa0b710aab81
SHA1 hash:
0cf61918b36a0579e351256c32314690bf243c57
Link:
https://www.unpac.me/results/f1e4f5a5-f241-47b4-92bf-3437395faf05/
SH256 hash:
c08801405c4427b2f34ccc7c7241436a0cf3a22bc547889998a4d08f10de756d
MD5 hash:
670c1df607130b71267002cf299c5b88
SHA1 hash:
aa61be66f47c27e0bcc98ee11e81e0985a8d2a53
Link:
https://www.unpac.me/results/f1e4f5a5-f241-47b4-92bf-3437395faf05/
SH256 hash:
de53b14b5ac610a4f4cae5c3266f2b0be1a44497b10f2c7ab0b7efb08e28952e
MD5 hash:
c033643733e42ee3ca1ddbab0eb0772c
SHA1 hash:
bd5fe298bd5c40bdae97789cfc33041912fd3e38
Link:
https://www.unpac.me/results/f1e4f5a5-f241-47b4-92bf-3437395faf05/
SH256 hash:
0427c54fe96d672e33718127fe12265c9cf62f970f5791f13f5c21ad72a3a927
MD5 hash:
90b1bcd93044da74a81c5a518a930eee
SHA1 hash:
ff413ba79c7ed1e8e9936bf3e6cfeccf7beddb61
Link:
https://www.unpac.me/results/f1e4f5a5-f241-47b4-92bf-3437395faf05/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip aecd152282def027bfd51b70b018af2c80dabf50c52ba4100c71c1047fe027dd

AgentTesla

Executable exe 164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 aecd152282def027bfd51b70b018af2c80dabf50c52ba4100c71c1047fe027dd
Cape
Cape
https://www.capesandbox.com/analysis/108400/

Comments