MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519
SHA3-384 hash:	765a85a7aefe833ccbc437e252914fb3cd69b4a3bc528efa7687622d519463225f350bfabc291e1e1a6027cb50a4b486
SHA1 hash:	47a71f50b6dc1776d93eef7463ae0defcc96ebd4
MD5 hash:	06088e0e173c5ad432565c919d1f4083
humanhash:	montana-spring-sierra-cardinal
File name:	06088e0e173c5ad432565c919d1f4083.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	579'584 bytes
First seen:	2020-10-05 05:17:13 UTC
Last seen:	2020-10-05 05:55:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:yvhOqPW5n0I8vg6MbtTISiTEDQ3l9cEuZ2weSqvFrhC1iJ0dNQfo+:yQ0r513Dchkdrcq
Threatray	1'114 similar samples on MalwareBazaar
TLSH	47C4D0297780FB4ED67F8F768413282097F0D2639A03F7836CE715DC54DE59ACA221A9
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.africanuniquesafaris.com:587

AgentTesla SMTP exfil email address:
merrowsale@gmail.com

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68039/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a process with a hidden window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/480993

Signature

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-05 05:19:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c63hduqhzi7ggng5zlum4f7rgf6mv426tex63blsimj64giz6umq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

19b8d7da5a00f2ef97531fda2db336b31c19a73c482e8528c21730a8ff372786

AgentTesla

1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241

AgentTesla

535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64

AgentTesla

787bbb324bff5c9623f81bcfb8eb548a5938a50323c594440bc46dacd52276a4

AgentTesla

7a5cf1b0f0b115b160a48992609c57b8f9c4591a736ffc052549b2f1e91e2eb7

AgentTesla

a394155e8d2a15fa55c36e9b679cb922fc07b598c207564434fc8c80ee046503

AgentTesla

c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1

AgentTesla

c8a3e3215f590c257667fbdde0b3632828f0028b0081b996c3547643c1ababba

AgentTesla

d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3

AgentTesla

+ 1'104 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201005-6cbwczd11a/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519

MD5 hash:

06088e0e173c5ad432565c919d1f4083

SHA1 hash:

47a71f50b6dc1776d93eef7463ae0defcc96ebd4

Link:

https://www.unpac.me/results/9b3ce64b-c83a-4013-9be5-7a4107a60c73/

SH256 hash:

01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a

MD5 hash:

eb593633270aa19162cf64663df9dd6c

SHA1 hash:

2ec57181471ff10abe9a04239ca3ea86ea4252b9

Link:

https://www.unpac.me/results/9b3ce64b-c83a-4013-9be5-7a4107a60c73/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/68039/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample