MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2056868a6d424e281762a3b4342bfff041ad23d30744a9a7365e04499788dfe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2056868a6d424e281762a3b4342bfff041ad23d30744a9a7365e04499788dfe5
SHA3-384 hash: e8b4a896c61afd65b6f4366f3f2e28970c5d3b36eddda306beeae8f855ebd6b541eddec0540f7f99bebe31bd545f5e81
SHA1 hash: 209708257fd04a0f06c0aac35c1c035004ca3356
MD5 hash: 08297b1dd6ad333b9fc66c9e64cc9b7b
humanhash: diet-king-fruit-ack
File name:SecuriteInfo.com.Suspicious.Win32.Save.a.8632.29603
Download: download sample
Signature AgentTesla
Create hunting rule
File size:933'376 bytes
First seen:2021-10-04 04:42:52 UTC
Last seen:2021-10-04 13:09:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KirOw5r0zGhfGJ2mivi3DpP4iwGHNelvv0RcqsE2K046Mnq0UnsO5lJkKzUvoPU/:7AiIhJd3dz+9Vlr1PPOeqi
Threatray 10'597 similar samples on MalwareBazaar
TLSH T14C151A9013CB9EC4F03B6734B0211CE7A6FE660DE379CE15699A3AD78DB6740461DB88
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Suspicious.Win32.Save.a.8632.29603
Verdict:
Suspicious activity
Analysis date:
2021-10-04 04:45:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42dec901-2f00-443a-9327-f94a7a452117

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194407/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.8632.29603.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c2f9498a6280f39325008/reports/162f13c0-3448-4cea-b076-61fcb8ccb4d3/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae432e4e-d129-4779-b08c-d6a4b1dc9be3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863632
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496060 Sample: SecuriteInfo.com.Suspicious... Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 2 other signatures 2->49 6 SecuriteInfo.com.Suspicious.Win32.Save.a.8632.exe 3 2->6         started        10 hZYWq.exe 2 2->10         started        12 hZYWq.exe 1 2->12         started        process3 file4 23 SecuriteInfo.com.S...Save.a.8632.exe.log, ASCII 6->23 dropped 51 Writes to foreign memory regions 6->51 53 Injects a PE file into a foreign processes 6->53 14 RegSvcs.exe 2 6 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 29 technotronics.co.in 208.91.198.167, 49907, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 31 mail.technotronics.co.in 14->31 33 x1.i.lencr.org 14->33 25 C:\Users\user\AppData\Roaming\...\hZYWq.exe, PE32 14->25 dropped 27 C:\Windows\System32\drivers\etc\hosts, ASCII 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->37 39 Tries to steal Mail credentials (via file access) 14->39 41 5 other signatures 14->41 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2056868a6d424e281762a3b4342bfff041ad23d30744a9a7365e04499788dfe5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 02:33:03 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eblinctnijhcqf3cuo2dik776ba22i6ta5cktjzwlycetf4i37sq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09aee6abb9346613d79d14df006bde49924dfe308ca268e349ad134db2d0afa9
AgentTesla
60ea5d831209598cc0aebbd8d5f31f4bb43c29b054f565bbbcb5353b9c7ad06d
AgentTesla
81d4a8f888a6d81d95c4bd6f0a727f335f5064b445203acf298405baf6fecc29
AgentTesla
87833ac492bd1cad8d4fc8b809b8c04b77a28684c7a07721c1911a3847945d62
AgentTesla
8ffd510513cafe4d5b4812ef693f06dcff7dc4097cccacd1be4ca0d308f3494d
AgentTesla
a13358dc68fa269593c748326b56c608532c665b023915758bdec940aacc89ec
AgentTesla
b019e8d729a835b9834889650eb87183538da0a1ff600e138db6065efea24a57
AgentTesla
cfb24eeee1fb9753433c3eeaf857ddc8f33512866a40ff22daf6c203adeee62d
AgentTesla
f0d328b8d12d32d2bc29faac2f18c30b74a2e99053113fe7e9d8068408e46299
AgentTesla
f97b20de4d8f123a11901c5dee2121c2c5b6f6d6baea3cb26404c53f5f681822
AgentTesla
+ 10'587 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211004-fb9dnafhhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
268dfe3071c5fe5bfccc46029d3b1ff8e08cf0ffcdd6629e4f19aa176e5ae360
MD5 hash:
3281b8787e4424ef477216a27eedc5d2
SHA1 hash:
dff54f5096cf1e36a2b8cd16fd3b2ecba475c1d5
Link:
https://www.unpac.me/results/b140a6f7-1070-48ea-b0a2-81ec9c291237/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/b140a6f7-1070-48ea-b0a2-81ec9c291237/
SH256 hash:
2c9f57dd9f4b785afe0bac4fefdffbb6be2771dc616f6ef974bbc15113f14d2d
MD5 hash:
73d0aeb4c307d33836794df0162dcd83
SHA1 hash:
335f9aef4ce8b7f7c481d128bde4495d2e239cd0
Link:
https://www.unpac.me/results/b140a6f7-1070-48ea-b0a2-81ec9c291237/
SH256 hash:
2056868a6d424e281762a3b4342bfff041ad23d30744a9a7365e04499788dfe5
MD5 hash:
08297b1dd6ad333b9fc66c9e64cc9b7b
SHA1 hash:
209708257fd04a0f06c0aac35c1c035004ca3356
Link:
https://www.unpac.me/results/b140a6f7-1070-48ea-b0a2-81ec9c291237/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2056868a6d42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2056868a6d424e281762a3b4342bfff041ad23d30744a9a7365e04499788dfe5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194407/

Comments