MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 164626dcf1ca91f5dc55a6ebd20e6fff394b8fddfa10b9ffcaf974d1540f751a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 164626dcf1ca91f5dc55a6ebd20e6fff394b8fddfa10b9ffcaf974d1540f751a
SHA3-384 hash: 555e3c69c80d4407f997955b4182edcfa073a1ea8c7254ecd105eddaf5aa67939d9414f7360e8a8ca90fc166612be978
SHA1 hash: 28cc1432bd94af6f8ee5892d1e436b769224af74
MD5 hash: 40145d0dce852e126cbb11fd326ffc90
humanhash: william-mexico-mirror-ohio
File name:temple.scr.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'759'624 bytes
First seen:2020-12-24 14:22:43 UTC
Last seen:2020-12-24 15:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:R8ctHtKz2v24vKEYOfxv0Fxl+nIHGFfXOtac8574G61tlsl7JxQm4R4FG4atssCc:R8cix
Threatray 2'003 similar samples on MalwareBazaar
TLSH E4854E0249816CCBD7B2D090A34DC2D6B38795DCE7EA5FD4AE20E25532CC4B7EB69D81
Reporter James_inthe_box
Tags:AgentTesla exe

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Dec 22 23:33:21 2020 GMT
Valid to:Dec 22 23:33:21 2021 GMT
Serial number: D62AA985A7F1ADBA836CD3BE2F9CF556
Thumbprint Algorithm:SHA256
Thumbprint: 494E8B16F28C4A415A9E04357F271B4571EE871E42CC91E58D7902FA5F9E4BB9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
936
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
099a008eb3971b8ca0c6b37ca7f69327ff23c9948f2e7be181e94321f51a5a1c
Verdict:
Malicious activity
Analysis date:
2020-12-24 11:55:20 UTC
Tags:
exploit CVE-2017-11882
Link:
https://app.any.run/tasks/bef356e5-ea33-4fe8-8a9c-1a09f12eef92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109358/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35829997.32610.6196.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Verdict:
8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569749
Signature
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/164626dcf1ca91f5dc55a6ebd20e6fff394b8fddfa10b9ffcaf974d1540f751a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 07:02:56 UTC
File Type:
PE (.Net Exe)
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czdcnxhrzki7lxcvu3v5edtp744uxd657iilt76k7f2ncvapouna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6
AgentTesla
139e0682e4985353d6d73c2c0c8a0982a06a6f8758edb5b7f949282b5cbbd63a
AgentTesla
24ab4616829b8c7bce068426184e9ff9ac006208ab47160890cb92a08f0bc885
AgentTesla
383536471e06eef80e55ff074d896710948eb79d3f90b734b4d32e0876faa79c
AgentTesla
4c69589ded9f474d14d6d9127d5a06ed5ff0aa8fba90711b265fa9cf3fd0a5c8
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08
AgentTesla
9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
cb866da199696cea1ffe6bd8498c1d2bcf3dd75772291e0d454c4e82c6a51272
AgentTesla
+ 1'993 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201224-j649zyt7e6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
164626dcf1ca91f5dc55a6ebd20e6fff394b8fddfa10b9ffcaf974d1540f751a
MD5 hash:
40145d0dce852e126cbb11fd326ffc90
SHA1 hash:
28cc1432bd94af6f8ee5892d1e436b769224af74
Link:
https://www.unpac.me/results/95911411-8902-4470-8661-dfb96a98f85a/
SH256 hash:
d85c1901f015cdd97ed3ab3f9d8405b97613f40cb0b8a185b1ad901c3007f61a
MD5 hash:
5b69a463fcab505fa3b6533cc57248ed
SHA1 hash:
18393ee2a41f8fc930933383d4b6aa73f85b96c8
Link:
https://www.unpac.me/results/95911411-8902-4470-8661-dfb96a98f85a/
SH256 hash:
459495d52b83cbb828c18098b3eea0b73f95ba0f6296331246c272f56a574163
MD5 hash:
93181de4267c94ce6285e61615fc443b
SHA1 hash:
8f4d21cc83319ba8c3edf14832a67470631be116
Link:
https://www.unpac.me/results/95911411-8902-4470-8661-dfb96a98f85a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/164626dcf1ca91f5dc55a6ebd20e6fff394b8fddfa10b9ffcaf974d1540f751a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/109358/
  
URLhaus
https://urlhaus.abuse.ch/url/941604/

Comments