MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1681a54061e896e569da0e4dc9f222f0e59d8edc28199fa2d24011f348984843. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1681a54061e896e569da0e4dc9f222f0e59d8edc28199fa2d24011f348984843
SHA3-384 hash: 249f75617b4843923debd83cad97e51836ebb1d9c1cd8e327ebd2aaa12ff3a57e81362d154cbb676e7ccf182e7a1d4fa
SHA1 hash: f302175ce9622f12172da422e0541f57277b7f0c
MD5 hash: b05c58f3f3341322a2f615e0c674e4b0
humanhash: mexico-bluebird-chicken-papa
File name:b05c58f3f3341322a2f615e0c674e4b0
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'419'264 bytes
First seen:2021-12-13 20:05:11 UTC
Last seen:2021-12-13 21:58:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:C5dMLg/2XCgPikPORPsvG7CrZBZ/IPPuh3apS7cjHrRmdKzsu/KtwGJGF0lT+fGG:KdP/oikP0KGmRkPI3DoHRmLuKtzJGF0+
Threatray 14'169 similar samples on MalwareBazaar
TLSH T18865230076F5D215D23D97F88CEB603003B8624BB491D25A7ED623DAB8EA3F446D19DB
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b05c58f3f3341322a2f615e0c674e4b0
Verdict:
Malicious activity
Analysis date:
2021-12-13 21:15:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/013b7db1-d4a7-4aff-87e5-7937774e77c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213677/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.NanoBot.mc.16871.21434.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Medvedev-6482674-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b7a7b147bb875c085b3d60/reports/68be3805-fa01-4f66-a94e-75b7015336d2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da7fdb40-9b71-4b04-91c4-477408828369
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/906768
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1681a54061e896e569da0e4dc9f222f0e59d8edc28199fa2d24011f348984843/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-13 17:51:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2a2kqdb5clok2o2bzg4t4rc6dsz3dw4famz7iwsiai7gseyjbbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e00993f9b487efe986bb97b3408fd6111d0983d29e86943c1deafc72ac7333f
AgentTesla
3e81cacf8070232edbe7c2443a72df9d59d4631b8d74a0d513aa535bef475a02
AgentTesla
59d43607b1bc8864486706c222c900ed71eb5a820dfbf85b5ef060dca95db133
AgentTesla
5b293ca70449d8da04fc704635e04b266290b5591ca49ef4a29e7ae1d656640c
AgentTesla
82004576665b77d6a67e5286154013f6f7b95bb46d81ee6b061b13343dfc4acd
AgentTesla
8c35dc71998561bad15183fe5ce76463fb2651692f72e92cc2d065f69f47b5cd
AgentTesla
936efb5051650731c646c28d92474fe7ea52d3f28a98d9939d75e32b7ed08778
AgentTesla
a2f1773e4b9146563dbf711ca1462448a7a847f8b6660424f72faaa5fa9b20d4
AgentTesla
d838bac7ab25b90356a5280bba7cb299f087c4a90c7a2216b8415140f23ba1e7
AgentTesla
e16f91dc64ead588e5e507e76997e3f7ccdd2f86d4121dae842ead03b3f3c051
AgentTesla
+ 14'159 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211213-yvemhaebd7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0d3180f77ddcef970bae8f30566edc90d8db263c371034a6e3ecd18dd5982c87
MD5 hash:
14c2e4c7fd33f65ffe80e6d1e6b22e86
SHA1 hash:
01481401beb7495b8098f0c60075215d4df5d225
Link:
https://www.unpac.me/results/c600c456-7cc4-40ed-8a2c-d53a5a740c51/
SH256 hash:
e9dbe50d1159b74e3772487313fa3666bd0342effa00165d02ffbd0c0593833d
MD5 hash:
85f0547176420acff5c164e997dfd3a0
SHA1 hash:
b0651ac64eefcde1950910fa9357e0836123b168
Link:
https://www.unpac.me/results/c600c456-7cc4-40ed-8a2c-d53a5a740c51/
SH256 hash:
2528c578bea55abe065ab1975b2b963755804ccbba6d58b9e7a6bb24ac61985f
MD5 hash:
9e9741478934458b82456e607740ce40
SHA1 hash:
db675bb4ec16b6580fd6d05131d4c7117cccbb66
Link:
https://www.unpac.me/results/c600c456-7cc4-40ed-8a2c-d53a5a740c51/
SH256 hash:
1681a54061e896e569da0e4dc9f222f0e59d8edc28199fa2d24011f348984843
MD5 hash:
b05c58f3f3341322a2f615e0c674e4b0
SHA1 hash:
f302175ce9622f12172da422e0541f57277b7f0c
Link:
https://www.unpac.me/results/c600c456-7cc4-40ed-8a2c-d53a5a740c51/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1681a54061e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/1681a54061e896e569da0e4dc9f222f0e59d8edc28199fa2d24011f348984843

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1681a54061e896e569da0e4dc9f222f0e59d8edc28199fa2d24011f348984843

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1881596/
Cape
Cape
https://www.capesandbox.com/analysis/213677/

Comments


Avatar
zbet commented on 2021-12-13 20:05:13 UTC

url : hxxp://paxz.tk/arinzezx.exe