MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 19 File information Comments

SHA256 hash:	21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6
SHA3-384 hash:	824b02a1cce9cbec843f85858635a381b5a15e6db59d54a8d83ba3aa8dfae833147cc4ca09f2039594d0ed9c32d6dc73
SHA1 hash:	eb1f72636407ae0e855108f7309d9204ed17b0c1
MD5 hash:	366185ae7ac91aff71406907ce654ece
humanhash:	music-ack-delta-pasta
File name:	rRFQ_251477800TM.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	716'288 bytes
First seen:	2024-05-15 00:47:35 UTC
Last seen:	2024-05-15 00:59:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:3S3RAXYMjhvPie/rByY7777777777777B+28a7iWDSkUgxIqmf+eyPmPyAYNTuAi:C3RAXYMFniyykL8+Ag2p+N6tUD8B0uHT
TLSH	T182E4230D7344A7A2E2FD977212A540D213B9A616B323C6D14DA67CF598EF3B03A24F49
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	FXOLabs
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

362

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6.exe

Verdict:

Malicious activity

Analysis date:

2024-05-15 00:52:25 UTC

Tags:

stealer agenttesla exfiltration

Link:

https://app.any.run/tasks/cb0a4df2-57db-47c4-aaaa-003acf83a23a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2842.22413.13169.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Setting a keyboard event handler

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/664406459dc4dda9c0e7a7e6/reports/18fbc287-4df4-4a25-8f12-dd74c6846d91/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cdcac75f-3436-4e6e-a8c6-80b3d34fa81d

Result

Threat name:

AgentTesla, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1441710

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-05-14 12:59:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=egyenvykc62t54h6mw5lv5jrv76kbah7ekqwp5odqoj7mu2ki7la._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla execution keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/240515-a5r4kshc34/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Unpacked files

SH256 hash:

329fc3ab0b9cf28cf3124788bd07d8e5aa1349d16d9eaeee03cbe2eeb244a8c2

MD5 hash:

478e54ca81a01c6d79fa4adc9b6cc984

SHA1 hash:

ba42b119eea964ef0a8368d6750ebbcee17b62cf

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/be1e291c-e205-4ec2-8c8d-d8ed734bcfb9/

Parent samples :

8f5a7bde1dd7ca484c1b41d1096e562e5db6214d4633861c849b350753ccce81
198ff208a336939bc2623042646023f39ef7d0d39f1eb7ec4fe27ac3caef404b
ed8a3593d056c5afa99fc4331390b42645b3800fa98e5b5e0089f7e3260ba283
28cc41b32461784fcf2bcb6d66d4ad44cdf10edd2dd8d2b2712e901d1d44ce99
21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6
aa667be19c861a59464088524698c0097d5d8a461bae61f3c5c99b4fcaef4838
88fc5d96ebc31042f41c8d80e87a1d6b8c4fabe33f11717dbf417f969604af70
72629b026d1626923f7d3280d0dabb7c1a9ee869b7ce9ec2f02c949544c8326f
a2cdc2f4fcad4c6b982674a1b3b86a0f7bcdb7c8f18c1183799d70777c726859
f7d4eed71f2bdb8ac845990506c335bb64af5877df1925794b000d4a7cf88b84
aa607c36d804e2544b7816ca4cbcfaba72506fbe5f801e7f07d5a9719c9bc633
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
bd6f2b6c65e5e3b5385eefbb2cb768e4f145106885dff956cf56815134550df9
ee68537c1249686c83087d4771e9d5b6b6888a48fcdaba7b450fc7541e0331de
7a6d0f4a00f827cf525de3d0028ffc70e2114315bcddd1298a719ddf74eb98d6

SH256 hash:

fd3f1f3f0c984361bb23b2f6ba22a4bbd636095bf6e9d0c31d77b5ccfceed307

MD5 hash:

1e504d0d93436a776666cc8236d65844

SHA1 hash:

834490f9be03a0814c6460f5aae33af12e83b8f5

Link:

https://www.unpac.me/results/be1e291c-e205-4ec2-8c8d-d8ed734bcfb9/

SH256 hash:

7e843a764288885629db944e03560845bd6aae31be1e1ce1d92799b4dffb5f7a

MD5 hash:

2c3f7108d4525ac2856cb70871f15c32

SHA1 hash:

5d04332dac4d5324d89ebca26a2a609b8fd9895e

Link:

https://www.unpac.me/results/be1e291c-e205-4ec2-8c8d-d8ed734bcfb9/

SH256 hash:

01022d24d0023460f0ae82584bfc43d989c1237eeee7bb6be72fc46c2ce4e1a1

MD5 hash:

8b9816b73cb9ae0b30e1ec5ecc19581c

SHA1 hash:

3debf15bb4a942fee6e5106d46152f4dcc9fc94f

Link:

https://www.unpac.me/results/be1e291c-e205-4ec2-8c8d-d8ed734bcfb9/

SH256 hash:

1a35649cb5c1adf982e0793eb6834ffa91aa47c2b26120a3ee19ad857018a0af

MD5 hash:

d53542e241a56165c77e800b2e8ac907

SHA1 hash:

12a72deed37494c5fe3738e5f074eadea406e8a4

Link:

https://www.unpac.me/results/be1e291c-e205-4ec2-8c8d-d8ed734bcfb9/

SH256 hash:

21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6

MD5 hash:

366185ae7ac91aff71406907ce654ece

SHA1 hash:

eb1f72636407ae0e855108f7309d9204ed17b0c1

Link:

https://www.unpac.me/results/be1e291c-e205-4ec2-8c8d-d8ed734bcfb9/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/21b046d70a17/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 21b046d70a17b53ef0fe65babaf531affca080ff22a167f5c38393f6534a47d6

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample