MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20bcd02266e2cfe1def3496611a8463d709e5c87d08a0d5c292db81a431d03fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	20bcd02266e2cfe1def3496611a8463d709e5c87d08a0d5c292db81a431d03fb
SHA3-384 hash:	e5eb5c025e3e57a99ef92907b72387141dba122f5dad5d9fd1530ea2a4a6d15a90ae6c8cb51f9b74dcae3300248b0548
SHA1 hash:	5a2cfc8d742b00e476f57c5c283a0755247efc83
MD5 hash:	44198a79117d3ae1957fbd514b8c8584
humanhash:	shade-saturn-emma-ack
File name:	SWIFT payment copy #SCAN 001.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	816'640 bytes
First seen:	2022-02-17 10:13:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:0H3qLC5VkoijpFm/nmtmkwuEEviRG0dShphwowifNSlC7f3kFujWn5:RjpFY6st7RG4ShvmrCruuq
Threatray	15'437 similar samples on MalwareBazaar
TLSH	T18205BE6631EF1096D3A6EBF10FD8ACBF869EF173160E363631816B568732A409D02775
Reporter	pr0xylife
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/242214/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.57439.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

black obfuscated packed

Link:

https://www.filescan.io/uploads/620e1ff1ac8ad0468b4b2137/reports/1a52ca86-aa55-4899-b184-458d77082e4a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b8a3a6bd-3df6-4440-924b-ef0c31751285

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/941505

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/20bcd02266e2cfe1def3496611a8463d709e5c87d08a0d5c292db81a431d03fb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-17 10:14:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ec6naitg4lh6dxxtjftbdkcghvyj4xeh2cfa2xbjfw4buqy5ap5q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

77eaed5cde7243b357db648d37fafd906220fc6f0c415561162e6fe5a1c39959

AgentTesla

85f2e664b113cdbd49156057515ddedc60ba32235e49257b44854a7be52eb77e

AgentTesla

9deebf0b90acbe1b7d3c4afd3510c6b46b4376e7de040b65f0ac2814ecbe3973

AgentTesla

9fb67556572118c8a0b877ee400b0d63ccb4d5c021719f99903f8bd3cedb39f5

AgentTesla

b6164c0e4ffbe4352d2dc361bb39a5d4fa7138193457fe49de15f4306d00d40b

AgentTesla

be430dad91245b6bd741be804bb3e4b0858ba623912e04486c1e93326c988f2c

AgentTesla

ccf76c3f6df5a866f9ab20ba477bf645f35dda1abd0f3c52a9dffdd49a6bbefe

AgentTesla

e6f6946387b46541225e9fce78648eb1bfdd7a99cba8b84ca244965ef5482767

AgentTesla

+ 15'427 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220217-l9nshacafp/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

d5055eebe7e96d9da9fecc6169ee63eec0c34b42dd48834ab857482bf56bd853

MD5 hash:

50e09e6ca1801dc2d76b6c7bc2dc0a2c

SHA1 hash:

dd78cfa3d41b572c90edfec8e43483e30933ee3c

Link:

https://www.unpac.me/results/3a36e6fe-e004-4ffa-99b5-2ca6b5059e63/

SH256 hash:

73a6c6cd6ee7c45ee8fac5d188b62220a57b58378ea52312ee8de4e3bf4cdd36

MD5 hash:

4590ff866e80849de5eeecc6bbce4ebe

SHA1 hash:

888be4e9b79c8ca695f55a3233143e49f857e5d2

Link:

https://www.unpac.me/results/3a36e6fe-e004-4ffa-99b5-2ca6b5059e63/

Parent samples :

a1656422c4dd3258ef32113f77cb5ca0e9b8d01714dc45742c3465f9d45a77a2
d5de496be1535d0b8d9c8f57087e9ae2a26aaf7c33c2ddca65b3231dc3b2460b
bfd07274e23732c9a75a16fb2b4b31908c1905805b2f8e9531adb3685f979ca3
f77fe8a7ebe7c42c57282c9cd76924949352b8ea05b9f4225508f815c6ae2aa6
2b9c90d187ee41125aee4760c07325e70386c8a7101fdbffdb41afd48101e036
5bcc027ae64ff8a43719140a97435090a851526b1dccb40b858eaa306723b18b
9c2a4b70bf191376e0c274db03110bb536add938a19f7a726e90d1b12a36faa5
810d6fedd690fa86ac01ee4b15a1038d2b045ccc2a10262f1c9bbd04cc1ee935
42158ff6c72753c9d9cef04c823c649225208b13a9509b732234b7fd29cc0629
b36729fe425ed9de3c8fc7c9fb4962cb55152e21cc151326465145a6247c2edf
07cbd8a3deb941e46404af8b1093168b4029ce8f36e4ec18844ede50268602e0
82211de23461b7060737032b0ab788d6cbf5e2486bda7bf9f2c1c7d846ef9234
fde44c87c4f5bb65134e59545fbe40e5f6d6ffdfc397fe247c55f523eb8bea9a
05451697650c572c6b41802d4dd8b1043a6e3fc89e47af247fb88f152dbe4072

SH256 hash:

2d5282788b980bab38279d40fb9e82a58ffe43f804b749f716d235f0caca52ee

MD5 hash:

698d229b37540326d74615932efc28a1

SHA1 hash:

54890cfad0b39217ca89b7ea526a8ed4313516ad

Link:

https://www.unpac.me/results/3a36e6fe-e004-4ffa-99b5-2ca6b5059e63/

SH256 hash:

c526429edb440ae61644e11c1ca1898c0d23ab41df7dc6799d773305a7c45151

MD5 hash:

8ea2078c373a8e8d14d4880a6091b948

SHA1 hash:

0353dd98b2d950b9f933736dd19b4d77867128fd

Link:

https://www.unpac.me/results/3a36e6fe-e004-4ffa-99b5-2ca6b5059e63/

SH256 hash:

20bcd02266e2cfe1def3496611a8463d709e5c87d08a0d5c292db81a431d03fb

MD5 hash:

44198a79117d3ae1957fbd514b8c8584

SHA1 hash:

5a2cfc8d742b00e476f57c5c283a0755247efc83

Link:

https://www.unpac.me/results/3a36e6fe-e004-4ffa-99b5-2ca6b5059e63/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/20bcd02266e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20bcd02266e2cfe1def3496611a8463d709e5c87d08a0d5c292db81a431d03fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/242214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample