MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1948960143fb7d0e3c56678a5bd8d0baee4fa0c87d82b6dff5d7a3ec2280191e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1948960143fb7d0e3c56678a5bd8d0baee4fa0c87d82b6dff5d7a3ec2280191e
SHA3-384 hash: 9a1301dbd17ad56b40b5e91b287ef4d7c9ce2752902743cf885693769f752e93cdbe6ecb02c9b5ffac5bf6e82dde4e76
SHA1 hash: 9355ee4f4a5593dfebb590a2ee4ac04cf49c906e
MD5 hash: 511fd49abca82561848696fa6c402910
humanhash: august-jupiter-hotel-six
File name:attached wire transfer slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:795'648 bytes
First seen:2021-09-14 04:31:20 UTC
Last seen:2021-09-14 05:10:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:ryIlK/5RF/atei2A2jhJ5rMx8UoaDI6V0PMnDI1iU/dKxmp6HWNeqGgoACMqq:rH8tWe71j3lMx8UoIVqMDIO3VbACMq
Threatray 9'801 similar samples on MalwareBazaar
TLSH T14F056638ED0B21BBABE6D374E4BA150AA4F418BB33349D5EC192774D190760374DA3AD
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
attached wire transfer slip.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-14 04:33:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83e3c2a8-c420-4c03-87a8-2ddabd85fd7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187633/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.16592.11479.32454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61750956db358dd15ed91fd8/reports/7a74ad20-fc63-41c6-ad92-053e445e94a0/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03091e5f-4b46-43b1-bed1-8bf4df1f2b57
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850363
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1948960143fb7d0e3c56678a5bd8d0baee4fa0c87d82b6dff5d7a3ec2280191e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 01:11:32 UTC
AV detection:
17 of 44 (38.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfejmakd7n6q4pcwm6ffxwgqxlxe7igipwblnx7v26r6yiuadepa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
35e82796e5257e40a86549618162612652e5aa9635f3d44150b06762ea9368a2
AgentTesla
37511a8474beffdfd64c562149fe0f4861195f0fb6e04d28113bca5262c56a9c
AgentTesla
38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc
AgentTesla
428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0
AgentTesla
52b732cacb489185a32d537cfab532789b8a8efe3d3b6fb93221bf8617cac915
AgentTesla
68efec00cb038efe657da204e1d54fb425250be177803f70be82cf9adb3c59f0
AgentTesla
85de0c82130ef148deeac89060ea69f4e9e61898361b6f1659c36e94f5dc443b
AgentTesla
b39dd18d501e05601165b24520b2f34460d2bc1fba1f7ce8e7297dc09165ff15
AgentTesla
+ 9'791 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210914-e5z7eaege4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ad2aa1a0837a8f1b7816b64040fde4e1651fd46b5ed10ed0789570b5a493f8f5
MD5 hash:
a042a585aaf02a1696d4aefd5030c8f3
SHA1 hash:
9645e939f6f096f72a1ccb4975833896c960d1f0
Link:
https://www.unpac.me/results/334afe96-54b0-423b-92cc-95229e7ac0e5/
SH256 hash:
fb8c416bff358faa34cf34cfffdfe291e0fe21c5bc6185321e724d55523173a3
MD5 hash:
fb4e8e79e570e5c8f8cd0edcb3cd0361
SHA1 hash:
93957e61ba87bd1052ad4ee209681de2da213336
Link:
https://www.unpac.me/results/334afe96-54b0-423b-92cc-95229e7ac0e5/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/334afe96-54b0-423b-92cc-95229e7ac0e5/
SH256 hash:
1948960143fb7d0e3c56678a5bd8d0baee4fa0c87d82b6dff5d7a3ec2280191e
MD5 hash:
511fd49abca82561848696fa6c402910
SHA1 hash:
9355ee4f4a5593dfebb590a2ee4ac04cf49c906e
Link:
https://www.unpac.me/results/334afe96-54b0-423b-92cc-95229e7ac0e5/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1948960143fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1948960143fb7d0e3c56678a5bd8d0baee4fa0c87d82b6dff5d7a3ec2280191e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1948960143fb7d0e3c56678a5bd8d0baee4fa0c87d82b6dff5d7a3ec2280191e

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/187633/

Comments