MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 13 File information Comments

SHA256 hash:	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695
SHA3-384 hash:	3f3133f6d5cb781d35548814bad86a6d4e64f8052e625dee942642ac47d124664dc96765f04093244e8c3671d03e8abd
SHA1 hash:	29d589b838b4e1a5e54a6bfe52da0d5859609865
MD5 hash:	3e9a543b85c85a0b808902b0b6cef9b2
humanhash:	massachusetts-kilo-arizona-hamper
File name:	7XBKILS0ZMnn32F.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	780'288 bytes
First seen:	2023-11-06 14:50:18 UTC
Last seen:	2023-11-06 16:13:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:aHW7TohIU2CoLBPdV+GLBOeUjYb9qUp5jlnRLm5bvL2z4is:a27SELNdYGL8eUjYbMUp5RnRLm5LLw4
Threatray	1'481 similar samples on MalwareBazaar
TLSH	T18BF4F14473F9BB63E47A97FA44B1501907F165BE28BED2498CD268CB1AB2F001B51F87
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.1383.1411.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6548fd5e3dd412119bee7478/reports/b9ad7463-68da-4b75-93fd-b16714e5bd7b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/026931a5-bda3-4947-aa99-9e252cf2dbf6

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1337711

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-11-06 14:51:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

10 of 38 (26.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=duq5u7fd6eif4d52jrscqhcbtgq5e6el6l6v5wlvkkphu7vg22kq._file

Verdict:

malicious

Label(s):

agenttesla_v4

AgentTesla

2b740ef55ed31627baea39dd67f586a025763ce973415b30d71d2990e4d7fa6e

AgentTesla

33eaff1311456c3c5379af5a4423de4a83f2b7cc013ccb0d6155265209a13be2

AgentTesla

73a362f5fb3b1512dd913f9f5fffe0e3968d10ee6e5c243bd76ecbc5cd20e45c

AgentTesla

742d4eeaf5d2f058c8e38522ef496f6fae185af750540a25fbc43c784d9f23de

AgentTesla

c6800ce0835e6faf9ecb2513a34ebb7e57943dcb506ecde04b854b3d4208cd57

AgentTesla

f13fe7c53a790d33a00e6bd4e5763b1a333a6613311daf6c54cc85420335f383

AgentTesla

+ 1'471 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231106-r75wwsde52/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6857395601:AAEr0Ki03_UqNs4qlOxRNOhnjU8odyo6de4/

Unpacked files

SH256 hash:

e3d0df559f593090443cc407d650f23cc6de02ebe313b6d06346c71d02ef0e87

MD5 hash:

ed60d9dcfb16ef875671ed717cf29ce3

SHA1 hash:

e6f3c11552e19e6f8ee1a886586bfd57d377d9e9

Link:

https://www.unpac.me/results/e67c1c18-06fb-4b9c-a397-b4bb7062f6b1/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/e67c1c18-06fb-4b9c-a397-b4bb7062f6b1/

SH256 hash:

bfef9eac82e53e8d63bcb3b3022880eaf8f22cbbc6c69f3782b59c438f649f12

MD5 hash:

ddf81912128dd196140e9be656c3a212

SHA1 hash:

51221baf7115f7f2de03cd00b8b25cfde9241a35

Link:

https://www.unpac.me/results/e67c1c18-06fb-4b9c-a397-b4bb7062f6b1/

SH256 hash:

eb213ddf403a1a182833ff251246df7dcf612f936e6d4fac2d544605e66aa151

MD5 hash:

f08f0b8df31f29b7b58b14aac3168641

SHA1 hash:

2670cc59bc97f9a1a59e05e804b2c9cacf150d26

Detections:

win_agent_tesla_g2

Link:

https://www.unpac.me/results/e67c1c18-06fb-4b9c-a397-b4bb7062f6b1/

SH256 hash:

1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695

MD5 hash:

3e9a543b85c85a0b808902b0b6cef9b2

SHA1 hash:

29d589b838b4e1a5e54a6bfe52da0d5859609865

Link:

https://www.unpac.me/results/e67c1c18-06fb-4b9c-a397-b4bb7062f6b1/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d21da7ca3f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample