MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1db3d20aa67f643557da4734389d4298467f57f483a17bd5b4f95c2c7bc0090c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1db3d20aa67f643557da4734389d4298467f57f483a17bd5b4f95c2c7bc0090c
SHA3-384 hash: d2b650084ee2a5426951903b917fc75cbec85e32eb064a5d2c542a97b7cda6bacfca15a4cba3ce5ccf02f59730b3cf1a
SHA1 hash: 9940153fb6ee4214fd6f81647b53936c84f74408
MD5 hash: 5253541cc53606c8f27a9d55da4537de
humanhash: zebra-maine-black-march
File name:5253541cc53606c8f27a9d55da4537de.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:903'680 bytes
First seen:2021-08-26 12:45:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:LN1yjiHhea7YOrGchrKMX3h5e3V4oCS0hh+IP1Sb0Z4tO+9f4pX:LN1nH5ScFKc3K4o8h+UkU4tH9
Threatray 8'973 similar samples on MalwareBazaar
TLSH T1AC15B23D29FD2227D175C7A6CBE08827F4149CAF3111ADA4A4D7A76A4366E4335C323E
dhash icon 4302143313031303 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5253541cc53606c8f27a9d55da4537de.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 12:50:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b7811ab-bb0d-4e58-bd12-1d54e9d2b1a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182648/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.14784.27791.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d562d0a4-3454-4c71-b30a-c1d56d6dd7d6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839831
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472264 Sample: K9YMtGZNii.exe Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 Yara detected AntiVM3 2->47 49 3 other signatures 2->49 6 K9YMtGZNii.exe 3 2->6         started        10 NLKBQYR.exe 3 2->10         started        12 NLKBQYR.exe 2 2->12         started        process3 file4 27 C:\Users\user\AppData\...\K9YMtGZNii.exe.log, ASCII 6->27 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 55 Injects a PE file into a foreign processes 6->55 14 K9YMtGZNii.exe 2 5 6->14         started        19 K9YMtGZNii.exe 6->19         started        57 Multi AV Scanner detection for dropped file 10->57 21 NLKBQYR.exe 2 10->21         started        23 NLKBQYR.exe 2 12->23         started        25 NLKBQYR.exe 12->25         started        signatures5 process6 dnsIp7 33 us2.smtp.mailhostbox.com 208.91.198.143, 49751, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->33 29 C:\Users\user\AppData\Roaming\...29LKBQYR.exe, PE32 14->29 dropped 31 C:\Users\user\...31LKBQYR.exe:Zone.Identifier, ASCII 14->31 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 2 other signatures 14->41 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1db3d20aa67f643557da4734389d4298467f57f483a17bd5b4f95c2c7bc0090c/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 05:51:03 UTC
AV detection:
14 of 26 (53.85%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwz5ecvgp5sdkv62i42drhkctbdh6v7uqoqxxvnu7focy66abega._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
30b158a268121de18c54cff5537cc764ed771dc686f6de731ff823e4430f68b2
AgentTesla
597c4e531fe021e566c1040cf0a66fd4104c273cbdad24585ca4a89bba5a1c25
AgentTesla
6fa6547ef5a7c0392647c4dc9538818fe0c18b2e209cf297a26059249aa3c7d9
AgentTesla
a8f660af5a534e485b3921fbf08308b423e21e24006c0d479673afa93f0e0a67
AgentTesla
ad5e28f8cce65652f4f60d135b6006d0e1cccfa632f7ada11f60c6d4f7a4a18b
AgentTesla
b69c6670b90d4fd6f6100614e54fe4a357fd6e8cab84c9428e0d1d8715243ff7
AgentTesla
fe4126564a824b6606937b8fe4a39478da1857e5a38ab9b232c52a9e922b467f
AgentTesla
+ 8'963 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210826-qxc9vhxqjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/719d0fb9-9af6-4333-a19d-b785a6b3e468/
SH256 hash:
802c61490e64b3a3b503bb0979f3d71d4df82c168cc4f9600773f3cf6443e65d
MD5 hash:
baa78d6761d3a1cd13cf20d0306111f1
SHA1 hash:
acbe957107764063d9c31b5760f5518ba7df67ec
Link:
https://www.unpac.me/results/719d0fb9-9af6-4333-a19d-b785a6b3e468/
SH256 hash:
e34ec47713325dfe99129fc24a8900b56242f70c362a43e6e5e46fd9d1526274
MD5 hash:
7def7d3233488fb42a83fc706681f5e1
SHA1 hash:
a66c446aef205ba48230f8b396aa2606c4bf430d
Link:
https://www.unpac.me/results/719d0fb9-9af6-4333-a19d-b785a6b3e468/
SH256 hash:
1db3d20aa67f643557da4734389d4298467f57f483a17bd5b4f95c2c7bc0090c
MD5 hash:
5253541cc53606c8f27a9d55da4537de
SHA1 hash:
9940153fb6ee4214fd6f81647b53936c84f74408
Link:
https://www.unpac.me/results/719d0fb9-9af6-4333-a19d-b785a6b3e468/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1db3d20aa67f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/1db3d20aa67f643557da4734389d4298467f57f483a17bd5b4f95c2c7bc0090c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182648/

Comments