MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba27db394b7c6325c35378c4663a93bdf20cca51d59f02778ad4f90436d7739. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba27db394b7c6325c35378c4663a93bdf20cca51d59f02778ad4f90436d7739
SHA3-384 hash: 4a60f5cab8962c138369eba9f01b8c16a5e79785f37f2fb9efc9f172ddcda92da148a007188065bc04105c5b24441ec8
SHA1 hash: 030e3fa26ef33b4401685960ab314d369dc16a97
MD5 hash: e56db1dd7958f9a585c32e0a3963481c
humanhash: nuts-ink-angel-jig
File name:RENDELES.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:763'392 bytes
First seen:2023-08-29 09:09:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qVLC0hK8KnG6lwHH2yg/IkJkl6cKCCEF3+9cgSOJ3jr40Ms9w:02SK8YlwnThh5XF30S
Threatray 5'566 similar samples on MalwareBazaar
TLSH T1EEF4BEAC761079DEC85BCC73CA981C64EA1064BB931BD207902316EDAA0DADBDF155F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter smica83
Tags:AgentTesla exe HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RENDELES.exe
Verdict:
Malicious activity
Analysis date:
2023-08-29 09:13:39 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/b636a208-3aa3-442b-9809-e504f9d018fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445050/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64edb5eab3b7d7c782d0e77c/reports/bbb94e8c-29a5-47c8-b80d-7acb94fd38bb/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/1ba27db394b7c6325c35378c4663a93bdf20cca51d59f02778ad4f90436d7739
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30a2d3ca-3acd-45cb-a7cb-607d92648fae
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1299297
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ba27db394b7c6325c35378c4663a93bdf20cca51d59f02778ad4f90436d7739/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 09:03:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dorh3m4uw7ddexbvg6gemy5jhppsbtffdvm7aj3yvvhzaq3no44q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0432b62b226056b540dea3ec016a862521c3191da87f99ad5a02a1f633f9b947
AgentTesla
37652ff04530efadac718f5f9666c0d51756496e34910d135fe1ea2d78abf362
AgentTesla
45bdec922b686dc1a2cce49548dd152185bbd961f73d7f166740f5bde455e04f
AgentTesla
4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
AgentTesla
a394d1c47fbaacefdfb9bf4b4e39471fd17ef82a107cc0d29306a7de6e45743d
AgentTesla
a50ff27364591ebbe3589623d88752369ff33f67df2994f70d79177144376cc5
AgentTesla
bc6ac708586d3cd72851c365708a555068339aa2d10b4d031c5ed15bc4269d2b
AgentTesla
be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937
AgentTesla
c0d78a0e66df81e755349710a7c88371ad11a3dcc44115dffca63052954d8060
AgentTesla
+ 5'556 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230829-k41z7sef2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
06397ddf5fae3033e5a14a5388b93de4b9d029ec7d6fcc113eb97ecc5c501a47
MD5 hash:
49ad4203b7de5dbae2b814109495e032
SHA1 hash:
e93c8139f91e6784f8b2673a7c0b9abb4cdb9ca1
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ce5fa63a-d93d-4169-b340-9aaf3240d2e2/
SH256 hash:
e8d399db8c9330cff7ee73eb6a76c93e19cbf190d414773227f5a70a3f8e6613
MD5 hash:
dcd5e01fc044305a42b499363a987837
SHA1 hash:
99492aacf744f389be816b8104c0b76a30e57f41
Link:
https://www.unpac.me/results/ce5fa63a-d93d-4169-b340-9aaf3240d2e2/
SH256 hash:
ebaf28744bfa555219d56440db49703efd0e1757e3e219eef119725b4f0090d5
MD5 hash:
13574c506380e6ec0da25e442099b8e4
SHA1 hash:
9900c86a1bb5a605e34de9a4167aa3b93225ec33
Link:
https://www.unpac.me/results/ce5fa63a-d93d-4169-b340-9aaf3240d2e2/
SH256 hash:
4ed1dc38a28ecbf1eb8e8b82973136480a8c5aa4e778cd2fbff5606365bb612a
MD5 hash:
6b0f6ce0e462d6b1b21da802bb845978
SHA1 hash:
84e7d3c14079167288c0168d2724ae8a70f1b463
Link:
https://www.unpac.me/results/ce5fa63a-d93d-4169-b340-9aaf3240d2e2/
SH256 hash:
1ba27db394b7c6325c35378c4663a93bdf20cca51d59f02778ad4f90436d7739
MD5 hash:
e56db1dd7958f9a585c32e0a3963481c
SHA1 hash:
030e3fa26ef33b4401685960ab314d369dc16a97
Link:
https://www.unpac.me/results/ce5fa63a-d93d-4169-b340-9aaf3240d2e2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ba27db394b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/1ba27db394b7c6325c35378c4663a93bdf20cca51d59f02778ad4f90436d7739

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445050/

Comments