MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a6622548b70077312df3ffee6ffe24bcf6536f8ecf8c04bc05e54b69ba5509c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a6622548b70077312df3ffee6ffe24bcf6536f8ecf8c04bc05e54b69ba5509c
SHA3-384 hash: db7e6e5a83931e1bccb7a2a88cec46055caf613f5f389ca4ad411efedd3eb3fa3a2e6fb9f4a4bf6fd1221e46ef085ad8
SHA1 hash: ed9e478c6f2438ec1db85a34a1bb31bd837ddd3a
MD5 hash: d4e8ebdc94412d260203b9f55161bc2b
humanhash: maryland-romeo-xray-missouri
File name:SecuriteInfo.com.BehavesLike.Win32.Generic.tc.5062
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'136'128 bytes
First seen:2020-12-22 11:49:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:sPzw6NXG6R00MTyWcgqSa3GvBVpq1U7co67wWo67w:NgxK0MTurS04jco6ho6
Threatray 1'955 similar samples on MalwareBazaar
TLSH 3C35BE342AEB5219F133AF755AD074969BFFB6736307E4192C91038B4623D40DEE263A
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.5062
Verdict:
Malicious activity
Analysis date:
2020-12-22 11:51:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf77cdd3-fa60-4ab5-8f20-01760b604914

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108833/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.5062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568177
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333159 Sample: SecuriteInfo.com.BehavesLik... Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 9 other signatures 2->39 7 SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\HZsOfaon.exe, PE32 7->23 dropped 25 C:\Users\...\HZsOfaon.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp5074.tmp, XML 7->27 dropped 29 SecuriteInfo.com.B....Generic.tc.exe.log, ASCII 7->29 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Contains functionality to register a low level keyboard hook 7->45 47 Injects a PE file into a foreign processes 7->47 11 SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        17 SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exe 7->17         started        19 SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exe 7->19         started        signatures5 process6 dnsIp7 31 mail.privateemail.com 198.54.122.60, 49760, 587 NAMECHEAP-NETUS United States 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 2 other signatures 11->55 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a6622548b70077312df3ffee6ffe24bcf6536f8ecf8c04bc05e54b69ba5509c/
Threat name:
ByteCode-MSIL.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 02:06:48 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=djtceveloadxgew7h77on77cjphwknxy5t4mas6alzklng5fkcoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02f2d3f0f1eb0c5e9322e3910f63041bd4aa3d4c02c823477bed14149acb8611
AgentTesla
0e770b4b1dff63afb16c1ca24f74e45905ab4e9baa1cd7ec48dada2deb252d8f
AgentTesla
67f1ae4beda733f8e96c018e86be5e24f61a6cd43311a3bd23012be2ef1a71cc
AgentTesla
698a07ee43319ed49e3a64c97c8626d26b7a9d5ff6c7c02d9ce87d0089c9ed90
AgentTesla
c08d6151741d6906767aef938ccd845f610109a4fe775c2d52ece1bc9132e114
AgentTesla
ced74986e807f1b4dd969d4811e20b516b11b39d0d8681ebadf9123a6de30b7c
AgentTesla
d455e26e8b2cecda7ae1f03d70acfb7c72341610571638300cc561623f6a4fa6
AgentTesla
de0f6d3156577dbace690119ed748be66c64e539402780878490839dd0b24234
AgentTesla
f5908b0df1dd1a1b0c09d713294ed1328160f4f57e0e49abd17ef96a5b614d64
AgentTesla
fd2a7682f371ab740d8691e13d1ab27f3919414019afd1b6ddf935394c59ba60
AgentTesla
+ 1'945 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201222-b1pbtrq3k6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1a6622548b70077312df3ffee6ffe24bcf6536f8ecf8c04bc05e54b69ba5509c
MD5 hash:
d4e8ebdc94412d260203b9f55161bc2b
SHA1 hash:
ed9e478c6f2438ec1db85a34a1bb31bd837ddd3a
Link:
https://www.unpac.me/results/cabdf787-2a99-45cc-add2-d0b014d2b0a2/
SH256 hash:
9ee6dd734bd069f59695e30f8cdc3cffce44ec07f3be1527946327dff1e91484
MD5 hash:
82723d4f99fb15055edd1cfb64a37884
SHA1 hash:
0452c9ab911e7d1b3b8a935355504ee67692fec6
Link:
https://www.unpac.me/results/cabdf787-2a99-45cc-add2-d0b014d2b0a2/
SH256 hash:
55abf08a6a6ab7c7848a2bc0410d84befe6dcfa118336e2e4f1ee456a8009efc
MD5 hash:
6ce9761c3c3ae715d40a77b982d31dc9
SHA1 hash:
42a5a02eabe7d80d79408549e7686d4e44524361
Link:
https://www.unpac.me/results/cabdf787-2a99-45cc-add2-d0b014d2b0a2/
SH256 hash:
50af749b9a9280074fb5b5d3c16d973d4a730b138d8920de74282d841734979a
MD5 hash:
254cc1d5d2fc0c8c6f499b760ac5ab97
SHA1 hash:
f1afa8637c847656a4d97c79dc09a1a5ac4e78a7
Link:
https://www.unpac.me/results/cabdf787-2a99-45cc-add2-d0b014d2b0a2/
SH256 hash:
dc915970a68d7165dd694f4c34684263a5079b5018db9144bd08d65394f17e8b
MD5 hash:
a0840bd5bc21aed0bd7a35264856b29e
SHA1 hash:
f8f64114cfdbcedd03525ffb051da44142f2c5e0
Link:
https://www.unpac.me/results/cabdf787-2a99-45cc-add2-d0b014d2b0a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a6622548b70077312df3ffee6ffe24bcf6536f8ecf8c04bc05e54b69ba5509c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/108833/

Comments