MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21a4f8a0b8f19b999b883022f76a2061a46be94e1d79f52907c10a66c818a388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21a4f8a0b8f19b999b883022f76a2061a46be94e1d79f52907c10a66c818a388
SHA3-384 hash: c52d97393684d8269f3bdbfad7bdc4807673c82684c582797b4d766d88cea82e19243e695aa84d30fff18b15111476ef
SHA1 hash: 5000e43a557d2ce9a00791cde5e3f292ccc662fe
MD5 hash: 7b26ac779ec9af0ef9b451bbbecbf98f
humanhash: music-texas-spaghetti-fruit
File name:1688809445f87fc00e6acee87144c35bacd9f413b5a80279cda5b4ffaeae6d93fda478750a993.dat-decoded
Download: download sample
Signature AgentTesla
Create hunting rule
File size:168'448 bytes
First seen:2023-07-08 09:44:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:xigGMIglGwJA8ngeaOhiRTWq2NaAFEw2kn//ckDCo:dlVgeaOhiYq9wp8k
Threatray 4'652 similar samples on MalwareBazaar
TLSH T116F3286992DABD01F33D00B8C4B111C81BB3E177925AE75D1DB1BCFA3D16783322AA65
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:AgentTesla base64-decoded exe


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
1688809445f87fc00e6acee87144c35bacd9f413b5a80279cda5b4ffaeae6d93fda478750a993.dat-decoded
Verdict:
Malicious activity
Analysis date:
2023-07-08 09:46:16 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/bc049816-db56-4145-9475-e015d2d73e5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/411722/
Detection(s):
Win.Packed.Generic-10003641-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control hacktool lolbin packed packed replace
Link:
https://www.filescan.io/uploads/64a930239bd9f933fbb8efce/reports/fd293c57-dc84-4cc7-a05c-e1d983431ab6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/21a4f8a0b8f19b999b883022f76a2061a46be94e1d79f52907c10a66c818a388
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19eda6c8-7c30-409d-b21c-96f9c4b69484
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/21a4f8a0b8f19b999b883022f76a2061a46be94e1d79f52907c10a66c818a388/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 13:34:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egsprify6gnztg4igarpo2ramgsgx2kodv47kkihyefgnsayuoea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05207dd36f4c190728bb232953e7282871243167b39e416985a4539d48103a5d
AgentTesla
1a6889803b766ce102a10973126f946e3618a0f80c1cee6d902304d2ffae06c5
AgentTesla
38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e
AgentTesla
511bd4f1051444242dda8ae6df80720106a6b4d60eab89658baffb142affe730
AgentTesla
54b8c91ae0485d795f9821b01eb839bd682aee18df6a0b54d14d6eb2a2c0e83d
AgentTesla
816dcc8bb5070ed2db687bdb064a383c946c8183f5e0c089f2453653be8a3086
AgentTesla
940452c26b4fd683f1c88746b751d4299e9b8c3fe25aa62168eca31924c17592
AgentTesla
ac067aae48bb9721394a0e6b38af08a25e1eb96f4caba33ac7e669decac6d3cc
AgentTesla
+ 4'642 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230708-lq26saeg4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
21a4f8a0b8f19b999b883022f76a2061a46be94e1d79f52907c10a66c818a388
MD5 hash:
7b26ac779ec9af0ef9b451bbbecbf98f
SHA1 hash:
5000e43a557d2ce9a00791cde5e3f292ccc662fe
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/569552b0-c848-425d-8a20-ff79267c6a42/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21a4f8a0b8f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/21a4f8a0b8f19b999b883022f76a2061a46be94e1d79f52907c10a66c818a388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

unknown f87fc00e6acee87144c35bacd9f413b5a80279cda5b4ffaeae6d93fda478750a

AgentTesla

Executable exe 21a4f8a0b8f19b999b883022f76a2061a46be94e1d79f52907c10a66c818a388

(this sample)

  
Dropped by
SHA256 f87fc00e6acee87144c35bacd9f413b5a80279cda5b4ffaeae6d93fda478750a
  
Dropped by
MD5 8a1dfe9279a6ce5bc073d835c65fe50b
  
URLhaus
https://urlhaus.abuse.ch/url/2678619/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/411722/

Comments