MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2
SHA3-384 hash:	881a2537ccc7a0fd7960d98127a7c1f9c0d202683e85a81e742ee54b406bf77e06855c8339133b3a2d24636b06b5b248
SHA1 hash:	4da2bec6469bb0ffc53fb573e56814538ea7b953
MD5 hash:	6c7f4a9b5f205bae1ac56e2b5738c50c
humanhash:	comet-fish-paris-ink
File name:	NEWPO-243769001.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	322'704 bytes
First seen:	2021-04-08 13:18:37 UTC
Last seen:	2021-04-09 05:24:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	18bc6fa81e19f21156316b1ae696ed6b (51 x Formbook, 24 x Loki, 9 x SnakeKeylogger)
ssdeep	6144:xdt/5sHIirMLrCzDPzik9bhdS6nO7Kv/X7lpK45QizPK:p/DLrCu6bRnO7KvfBo45QirK
Threatray	3'850 similar samples on MalwareBazaar
TLSH	1064120BBCD658AFE0B91A307CB55700B376C3F818535D43A79C3EA8D922911AE3BB55
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEWPO-243769001.exe

Verdict:

Malicious activity

Analysis date:

2021-04-08 16:18:29 UTC

Tags:

installer rat agenttesla trojan

Link:

https://app.any.run/tasks/733142f2-247f-468f-b07e-bfe02c050d28

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/133215/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.12666.17565.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/670228

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Contains functionality to prevent local Windows debugging

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2/

Threat name:

Win32.Trojan.Predator

Status:

Malicious

First seen:

2021-04-08 02:43:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=efw4tdiktomsxgeanmie37vdgwv6fqugoobfwczg3wrxjvrli3za._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3f7c2fbbd1ded1f0068f438b1e8a9f30076577e234c6ef54c22956541d14b583

AgentTesla

6ed8f5c23004500f4125edd751c5129935bb62a182d5922b1108fb618bf45961

AgentTesla

74d7c085cf3581fe95df8040864b8a20c866768ddffe333ffc6ac11f7f70ad00

AgentTesla

81453065bd00296f689d548aba1571a2fae836d7708089a46c62a0045ff1baa6

AgentTesla

8d244157f6c54e00f04b3e7064f8aeecef8ec589c4e50d1a635db6cc93d9be6e

AgentTesla

b4f20bb869575d8b20aaf614f422f6a889ed24d9a6031564235ff3f7a7a97bdc

AgentTesla

cb39ca4eb7f5c23639bf05752a6e57f28346b35ad175845b2ed0a5caa019fe77

AgentTesla

d6fc15effd3ff2552f0484f4d6bad4cc06b9ea4eeb2169187b6f037448fbd1b8

AgentTesla

db14356168d27875343339ce3629b4c73b00a7df7e3be524eaeb508cc4663b5f

AgentTesla

+ 3'840 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210408-y71kjqvexa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

f9ba870e3709dc5aa79ace035e868119d6e5c039818164c208c1bdb478ff89cd

MD5 hash:

1da8601bac6552b84947d1e92d90ad20

SHA1 hash:

434064b12c619226c3978f07c84e3f0ab9c95f7f

Link:

https://www.unpac.me/results/edb86767-ad17-4c48-853c-cb313b25b3d6/

SH256 hash:

216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2

MD5 hash:

6c7f4a9b5f205bae1ac56e2b5738c50c

SHA1 hash:

4da2bec6469bb0ffc53fb573e56814538ea7b953

Link:

https://www.unpac.me/results/edb86767-ad17-4c48-853c-cb313b25b3d6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/133215/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample