MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 269351adab212ce5e190c8c45d694f497f8f62ff0d8a306fcc8f72e6578e3d16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	269351adab212ce5e190c8c45d694f497f8f62ff0d8a306fcc8f72e6578e3d16
SHA3-384 hash:	c232ab51c1110c171d7f644b51aca081ceaf56ad85bcd8635b36ce152fb005bc235562a0bdf84fe60fac2e4a57991de5
SHA1 hash:	a219deaa7ce9009c16250623d4bd546672ee1201
MD5 hash:	ce2760c2150b592ace526995ca5af91e
humanhash:	artist-freddie-quebec-charlie
File name:	SecuriteInfo.com.Suspicious.Win32.Save.a.20932.12446
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	641'024 bytes
First seen:	2021-10-13 05:55:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:annPktSBVv6sgaz2OaqeUxBymXCrJ3Prh/Wa121:annPrBVyRf5UxZXCrJjhea1
Threatray	11'618 similar samples on MalwareBazaar
TLSH	T140D412929F61BD9AEA580EB24122F9318776DE80BD3BF3199EE23C6333337D50446156
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Suspicious.Win32.Save.a.20932.12446

Verdict:

Suspicious activity

Analysis date:

2021-10-13 05:58:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5582b464-37bb-4d76-b77a-dc5a585139d7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/197077/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.20932.12446.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit obfuscated packed

Link:

https://www.filescan.io/uploads/616674f31c2d58ba74044948/reports/f1ded8ec-d3bb-446a-91b5-e8aaa2a59220/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc0543fa-8aa3-4a73-b599-30d4432db6ac

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/869321

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Defender Exclusion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/269351adab212ce5e190c8c45d694f497f8f62ff0d8a306fcc8f72e6578e3d16/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-13 04:36:07 UTC

AV detection:

10 of 45 (22.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2jvdlnleewolymqzdcf22kpjf7y6yx7bwfda36mr5zomv4ohula._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2360d00fabefc2e52aedea07c1298902b757c48d62e4a6177408fb17c806ce93

AgentTesla

8664bd0c09f992c53b0db3db2b6d5b5a14802fc7dd98d2e820d2df78fd26764e

AgentTesla

98316f49e4fbd2189f10bb175c0d2f4ac9e74b7c7f41ae176079cf35366123ab

AgentTesla

a6d9820be6946d1f5456861a455e2e0229943bbbd47f9102d869a424dd64b21a

AgentTesla

beb8e474611b28c6750fa0d04a244d5898d7f3a724150351bcfb31dce4921a7f

AgentTesla

e4c04b184aebbb0c4cd7533d2432c5a3699ea15e3fdebcaeec49edfea97cfcf1

AgentTesla

eb93c418892bb15265770d6b560e7a196a9897b65acd093a926578c64dbf7fe4

AgentTesla

f5975138fbd005ad1399f0f2623cff56d494f138a207156e272c85e6e3e77445

AgentTesla

+ 11'608 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211013-gm124adfa7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Unpacked files

SH256 hash:

b688ff1e56e6f78a82a80ed497c52d25eb833797d0a9bd604e76f73e36481a5d

MD5 hash:

873511dade94e448d826fa40c6772709

SHA1 hash:

7133217d69d18dfaa95ab7b41eeae550528ae5d2

Link:

https://www.unpac.me/results/29bf66c4-7a03-4793-b254-1bd67ff7f087/

SH256 hash:

4742bcd3556ba24d1c309481e25580d0cf1fa3dbcbdf92b3ee802c35ef370e68

MD5 hash:

fa01cc52bf2f9b9a701d9a8e6d1a47fd

SHA1 hash:

2268dc760f8e314376a890e03a01290285ae4615

Link:

https://www.unpac.me/results/29bf66c4-7a03-4793-b254-1bd67ff7f087/

SH256 hash:

eda4d687b865aed0078ab87078de7d9722888b2d2af71c6fc0dcdc986ffb7567

MD5 hash:

12cf5402be16590c300b442a66e9ebc1

SHA1 hash:

0ea28394d301ca1ce840f039d2da62a5ce6d9334

Link:

https://www.unpac.me/results/29bf66c4-7a03-4793-b254-1bd67ff7f087/

SH256 hash:

269351adab212ce5e190c8c45d694f497f8f62ff0d8a306fcc8f72e6578e3d16

MD5 hash:

ce2760c2150b592ace526995ca5af91e

SHA1 hash:

a219deaa7ce9009c16250623d4bd546672ee1201

Link:

https://www.unpac.me/results/29bf66c4-7a03-4793-b254-1bd67ff7f087/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/269351adab21/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/269351adab212ce5e190c8c45d694f497f8f62ff0d8a306fcc8f72e6578e3d16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197077/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample