MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20099b68fc7896261434a79ffe3398f80a268118b180dce7a7af8c9b7260ec58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20099b68fc7896261434a79ffe3398f80a268118b180dce7a7af8c9b7260ec58
SHA3-384 hash: 68029582b12558867201251eb34a127927032a29008a355678fa730f7dbfa251f3f779e8fd096c3d21a378f42afeeaf0
SHA1 hash: 33468ac35616b8dbc602d7044ced76712fe0238a
MD5 hash: 0963e755e3cfb5a068face937603db77
humanhash: video-quebec-salami-river
File name:triage_dropped_file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:775'168 bytes
First seen:2021-07-12 23:03:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'601 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:8gdcfXN5GnTOdU+CHpZsPhSY3Z4GvdoNaxi4vvRxBNRho0OR72EB5kqZauf:XGFSyZ4yc4vp7NRh9ER
Threatray 6'618 similar samples on MalwareBazaar
TLSH T19CF46B3C23FDA509F23BFF71AF90E2459FA6A27A9225D14D5CD8020A5821D81FEB7531
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
triage_dropped_file
Verdict:
Suspicious activity
Analysis date:
2021-07-12 23:05:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e5820659-6da7-4c8c-b236-ea14fd0ec24d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171193/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7e1f633-4ad9-4b71-a5cb-215b959ac28f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815198
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20099b68fc7896261434a79ffe3398f80a268118b180dce7a7af8c9b7260ec58/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 23:04:06 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eaezw2h4pclcmfbuu6p74m4y7afcnaiywganzz5hv6gjw4ta5rma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e00993f9b487efe986bb97b3408fd6111d0983d29e86943c1deafc72ac7333f
AgentTesla
27b11d7e95c9a02c9ff8938b12454e139a5124bd5d38b4cb04308316f0fb7e09
AgentTesla
88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771
AgentTesla
98ede977d95e3ce373b2d6613e7128c138d959f94060f47b63b6d087811aba60
AgentTesla
9e01f131107841c788f990a02403dffc3d7f04b4ed0ef934c3f2ccf3c1d21d62
AgentTesla
a661b519e8e823195e7c2678943617cbdf5d19d22f9996c9e3f405d571aef736
AgentTesla
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
AgentTesla
d1d03bfd052d4da26771988a7d52eeceedb30f423f31649f9ff25cd117ddd274
AgentTesla
f885a70224456ed92e59c2b7f75177c2094c31f02d8b5ae8063f400c16ebdf03
AgentTesla
feefe7ced3cbfed22efa37a37aca19f34f7c8821497a022b44d5e1007c20ba5a
AgentTesla
+ 6'608 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210712-ge1f8hsxra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/48c8d2e6-ced6-40e1-8938-15b20bcd53d2/
SH256 hash:
02373453b98d54eecb4af0f8b04de92a0980f12840c72609ad7439ec4a2a7245
MD5 hash:
229f4a103972fdcdae412bd2b1b9d6a9
SHA1 hash:
a6f2e44f72a0c38d5fe02563115022a07525a49c
Link:
https://www.unpac.me/results/48c8d2e6-ced6-40e1-8938-15b20bcd53d2/
SH256 hash:
204aa4554009fa495c711fec0ef1ae493482baea0c24617345de0cd5ba277060
MD5 hash:
648bef37d78d0d5b1e9d1b0ff68d1396
SHA1 hash:
9db5e206bad1d9f5fb987fe41ff349403065bf99
Link:
https://www.unpac.me/results/48c8d2e6-ced6-40e1-8938-15b20bcd53d2/
SH256 hash:
d5999d62ee1d81217a0d9541ad37a18e3f482324fa899ac4c9185faba686e933
MD5 hash:
0fece207510007de300e9c5cc6a1c880
SHA1 hash:
8cce8c697ef4412306b3eb86697a76b62fc62d33
Link:
https://www.unpac.me/results/48c8d2e6-ced6-40e1-8938-15b20bcd53d2/
SH256 hash:
20099b68fc7896261434a79ffe3398f80a268118b180dce7a7af8c9b7260ec58
MD5 hash:
0963e755e3cfb5a068face937603db77
SHA1 hash:
33468ac35616b8dbc602d7044ced76712fe0238a
Link:
https://www.unpac.me/results/48c8d2e6-ced6-40e1-8938-15b20bcd53d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/20099b68fc7896261434a79ffe3398f80a268118b180dce7a7af8c9b7260ec58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 20099b68fc7896261434a79ffe3398f80a268118b180dce7a7af8c9b7260ec58

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/171193/
  
URLhaus
https://urlhaus.abuse.ch/url/1450204/
  
Delivery method
Distributed via web download

Comments