MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26740b15b4664067de325f0e66367cc06ca60b28c19effdb460ff4d2c0d9b06f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26740b15b4664067de325f0e66367cc06ca60b28c19effdb460ff4d2c0d9b06f
SHA3-384 hash: 7bc84f6e8517782536cd2f69fb0ab9bcc21660bfaa61199252fcc1e4906f9d03d10f063b1c5b86ab1b5180d65271640a
SHA1 hash: fefb1972eb5b71326c863be44dd1e9745d8b6e8e
MD5 hash: 3f6d710d55a45ad44986180cab153c1f
humanhash: river-fruit-montana-oven
File name:387-3703_drw - PRODUCTION-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:935'064 bytes
First seen:2021-06-08 05:40:00 UTC
Last seen:2021-06-08 06:57:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:dtg6cQFu3Aveh8Hgx2JVXlESo9nKqd0rt/Fjibk1mTHxmDI0OF6wpHYWSbSyXwo/:c6cQFu3Aveh8AxGVXuSoRFd0rt/FibkR
Threatray 5'680 similar samples on MalwareBazaar
TLSH A615466EEFC3B5321940C459F7B6C02423275E4A9DEC89999D2C5829951BFF38A3C31B
Reporter cocaman
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:aJ0f5ee0kd0c0cbi082dvnasKa5122bd77aQb5e2x0820Z0
Issuer:aJ0f5ee0kd0c0cbi082dvnasKa5122bd77aQb5e2x0820Z0
Algorithm:sha256WithRSAEncryption
Valid from:2021-06-07T22:34:15Z
Valid to:2022-06-07T22:34:15Z
Serial number: d0feaf7de5877d88fac4754fde1d6fe3
Thumbprint Algorithm:SHA256
Thumbprint: de70139c694f3b03464c02a9eb48b010865385c3b496cb1a9f65f4f360d29b4e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
387-3703_drw - PRODUCTION-pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-08 05:42:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58dd9efb-e93f-45e2-906e-c22b45bf8f88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165123/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.12442.1248.14718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798472
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430868 Sample: 387-3703_drw - PRODUCTION-pdf.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 5 other signatures 2->53 6 387-3703_drw - PRODUCTION-pdf.exe 3 2->6         started        10 Nwefile.exe 3 2->10         started        12 Nwefile.exe 2 2->12         started        process3 file4 31 C:\...\387-3703_drw - PRODUCTION-pdf.exe.log, ASCII 6->31 dropped 55 Injects a PE file into a foreign processes 6->55 14 387-3703_drw - PRODUCTION-pdf.exe 2 9 6->14         started        57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->57 59 Machine Learning detection for dropped file 10->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->61 19 Nwefile.exe 2 10->19         started        21 Nwefile.exe 10->21         started        23 Nwefile.exe 2 12->23         started        25 Nwefile.exe 12->25         started        27 Nwefile.exe 12->27         started        29 Nwefile.exe 12->29         started        signatures5 process6 dnsIp7 37 mail.vanuatu.com.vu 202.80.33.46, 49749, 49750, 587 VUTELECOM-AS01-VU-APTelecomVanuatuLimitedVU Vanuatu 14->37 33 C:\Users\user\AppData\Roaming\...33wefile.exe, PE32 14->33 dropped 35 C:\Users\user\...35wefile.exe:Zone.Identifier, ASCII 14->35 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file access) 14->41 43 Tries to harvest and steal ftp login credentials 14->43 45 3 other signatures 14->45 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/26740b15b4664067de325f0e66367cc06ca60b28c19effdb460ff4d2c0d9b06f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 02:31:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ez2awfnumzagpxrsl4hgmnt4ybwkmcziygpp7w2gb72nfqgzwbxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
4c122805ffa252199f267845085ea5304553a541c8814a4b907e8dfefc25eae1
AgentTesla
6adc726b1fed131552f57794978c3a0ea49e8f816092e106454e73539511e9e7
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
9bad59a7b2c604957e6dc7f52dbebcaf6b240eba426bdd2e973625cdd6c50c50
AgentTesla
bd2b74e08fad018b100e51f29b67beb001afac1b243e73f4180d22879d86c639
AgentTesla
c813f48272b6106bf37619e57fbde62d1edb5fa5772a1a131374ca05685450a7
AgentTesla
d3083455681d65c6d3d151874554ad31b053ea89daa743f09ad2128e978999dc
AgentTesla
ee126cf35bbdcf2b2e8bbff8f27371910f9037799d4a3f5dbba16e5dc39797e7
AgentTesla
f9989bce3ddcc0eb0f95bae744a31bd28e06b229f2757ad7fe7a92c8952ac78f
AgentTesla
+ 5'670 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210608-91yw659wcx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
503fc893c461fe58f391b801c500e0c4a41d19cbb0e55291c3fc27b942ab44cb
MD5 hash:
bfe77816a3b604a81606504fda0dd30e
SHA1 hash:
7f174f207657b064641e4e84c588cf25768f4745
Link:
https://www.unpac.me/results/ef106751-2f1c-4787-8356-83f158299287/
SH256 hash:
f3dbf15a22e326762463c4e71b531a8de9630e8db93a0f1d429c7dc159431043
MD5 hash:
49733e63265cc7f063ea826c992b86f9
SHA1 hash:
587400206a62cf0dc822521b9d890900e444dfb3
Link:
https://www.unpac.me/results/ef106751-2f1c-4787-8356-83f158299287/
SH256 hash:
26740b15b4664067de325f0e66367cc06ca60b28c19effdb460ff4d2c0d9b06f
MD5 hash:
3f6d710d55a45ad44986180cab153c1f
SHA1 hash:
fefb1972eb5b71326c863be44dd1e9745d8b6e8e
Link:
https://www.unpac.me/results/ef106751-2f1c-4787-8356-83f158299287/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26740b15b4664067de325f0e66367cc06ca60b28c19effdb460ff4d2c0d9b06f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz b4bdffe4d750442723727823a4efd9e0c9f048dde37c127d144e33de96c6af7b

AgentTesla

Executable exe 26740b15b4664067de325f0e66367cc06ca60b28c19effdb460ff4d2c0d9b06f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b4bdffe4d750442723727823a4efd9e0c9f048dde37c127d144e33de96c6af7b
Cape
Cape
https://www.capesandbox.com/analysis/165123/

Comments