MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c1ebb6aaba42418e1648ae40d734171414aebb324dcf2a8d2a413f275d6e5b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	1c1ebb6aaba42418e1648ae40d734171414aebb324dcf2a8d2a413f275d6e5b8
SHA3-384 hash:	0f365299edff1d43c0367ea2bf839985bd285b2a622acb5d5ed32d2d5b4e2048a297fc26bc92b113ce594249350aab2d
SHA1 hash:	1cf32e3dcdaf156e51dde12b32d0158bf132bd49
MD5 hash:	9333049b34113f572f93d416c63f1b36
humanhash:	timing-orange-washington-jersey
File name:	xVQbZvDJMhzHnlg.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	523'264 bytes
First seen:	2020-12-08 14:32:10 UTC
Last seen:	2020-12-08 17:08:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:FjenHjYNY3gxZKPjnkj5xBehDgyABbilOIRYUd3JnO0l5pOUiU:QnHjP725ze+RBbLrUd5Dxj9
Threatray	15 similar samples on MalwareBazaar
TLSH	41B4F13252566FAFD77D0FB6D10821108EB4B427BA17F79CBF8490D502E67984E60EB2
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

xVQbZvDJMhzHnlg.exe

Verdict:

No threats detected

Analysis date:

2020-12-08 14:53:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/06a4344d-e901-4f77-9aac-8f0e7be05e9e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107263/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.28984.20637.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/557988

Signature

Found malware configuration

May check the online IP address of the machine

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1c1ebb6aaba42418e1648ae40d734171414aebb324dcf2a8d2a413f275d6e5b8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-08 14:31:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Verdict:

unknown

AgentTesla

20caa9bbab7ef41b3766a4fc9c1690b84b9425a1105eb563673a5000f02936b3

AgentTesla

39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7

AgentTesla

5810e9d665fa5ed5d1fa801d54574d2f75805e745c3e29bad8bd95226cfe684c

AgentTesla

79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36

AgentTesla

82ffc9d5e821acbff5872134b8851ba0a494e88e87df97b17b3f28c81b8f3b83

AgentTesla

98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358

AgentTesla

e04ac8ec3e13e60c17c1ab13acb486e2e60877e44b6a3ee8a9e372a45d0c8e42

AgentTesla

e7ccbe9dfaa198263b85336d9f89a775f7601070708ce65b9e4612332e0207b8

AgentTesla

f1eee793a63b26c3b031faad22f15c106caeda0b91800efab5d3c10791806293

AgentTesla

+ 5 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201208-f215yhtsee/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Unpacked files

SH256 hash:

b81f27ca37fafecd3ac8e888c6254795c95684cd8d068f7a251cf6730057231b

MD5 hash:

ba291b3bbdebd68ba9d6bbfb95c243ef

SHA1 hash:

3bbc44a96a5667a14b2ccfcedc6ed12a68e0a791

Link:

https://www.unpac.me/results/449bdb7c-024c-4425-84ff-9459d6ca17fb/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/449bdb7c-024c-4425-84ff-9459d6ca17fb/

SH256 hash:

1c1ebb6aaba42418e1648ae40d734171414aebb324dcf2a8d2a413f275d6e5b8

MD5 hash:

9333049b34113f572f93d416c63f1b36

SHA1 hash:

1cf32e3dcdaf156e51dde12b32d0158bf132bd49

Link:

https://www.unpac.me/results/449bdb7c-024c-4425-84ff-9459d6ca17fb/

SH256 hash:

de180853aa2bc7f67bb5698e338d98dd975a07bc3c0b0c63f1cb30f18e61fa37

MD5 hash:

e5548ae33cc9dfcdae7b7608d80900bc

SHA1 hash:

76a92bd56ab362ed55c47921d74a661fd472ef90

Link:

https://www.unpac.me/results/449bdb7c-024c-4425-84ff-9459d6ca17fb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/1c1ebb6aaba42418e1648ae40d734171414aebb324dcf2a8d2a413f275d6e5b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_Reversed_Base64_Encoded_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an base64 encoded executable with reversed characters
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/107263/

URLhaus

https://urlhaus.abuse.ch/url/899427/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample