MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19d30da245dde25341b93f658cd5afd30b8f6e306f5e95d66cfbbf07ef38614e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	19d30da245dde25341b93f658cd5afd30b8f6e306f5e95d66cfbbf07ef38614e
SHA3-384 hash:	b6d15b97a6288a790a5427824d2e67eb2eb3cf4b5aac6aedfaaec23378ff56173c46cce453b89f0dbcf83f6c109781d0
SHA1 hash:	f8410e8319708c51efad84847555fdc26c2b378d
MD5 hash:	4f40eb63860155064b17482e0c489ffc
humanhash:	four-may-oscar-sweet
File name:	ENQUIRY 20210602.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	939'520 bytes
First seen:	2021-06-02 12:20:54 UTC
Last seen:	2021-06-02 13:01:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:X/4mWGESRsABs4IMAByVGJ2Z/RkEA5eTa7x9H/uUxK8vT:zE5otIM+iGJ2I58o9mUxK
Threatray	5'518 similar samples on MalwareBazaar
TLSH	8C158DF8F598A9B4D15EC732C3909CA9EB6252FE53038A6C05A5CACD1F0378ECF89455
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ENQUIRY 20210602.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-02 12:22:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cbf0e8b7-31af-4384-b6c4-2a30066ccfca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/164056/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/795900

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/19d30da245dde25341b93f658cd5afd30b8f6e306f5e95d66cfbbf07ef38614e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-02 10:38:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhjq3isf3xrfgqnzh5syzvnp2mfy63rqn5pjlvtm7o7qp3zymfha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

46c2221cbd70295e87aaa2d69e59d5c7065f0a8b187b0d0136ea8fe68a63ac15

AgentTesla

4f6fa9c79a519e7f23da7e9af07462772ac70e4ec05d973074cadb7faba03d0b

AgentTesla

9682bbc8bf34d89a749880d482e492d6c8c391f6a95abc465ec1376c8cd61514

AgentTesla

a567c1bce69110434087f78f3778878036cd56b79819d35b3a0cff29cf836824

AgentTesla

acf30aabe0138a2fd83f455da4a9a3cb10c374e33b2ed7d4570a799f58e91028

AgentTesla

d6ad9479839b7c1e35a61ac244e42431e23de9be91794df9c5d027d7d1bb8c58

AgentTesla

df03589933428f3850db7b91fc6cfccb3b0e57cc43af3079183c729ca9801b51

AgentTesla

e0a0c2bb0b0436bb613bd1eb9142edf9f09166349a12c71045eeb99c13d154c5

AgentTesla

f5f61469082ef65ba46317d65f68f999d25e102c2b5f44643cb73f3108564ae2

AgentTesla

+ 5'508 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210602-655kg4p9s6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19d30da245dde25341b93f658cd5afd30b8f6e306f5e95d66cfbbf07ef38614e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/164056/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample