MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27ac9c73d4b8754ab44172a17f0823245f8f873a06b6d89fee7e925b9fb595d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27ac9c73d4b8754ab44172a17f0823245f8f873a06b6d89fee7e925b9fb595d7
SHA3-384 hash: db3c4f5380f7de3a67742e9583951d930289f747aaaac7cbeecda2685eeaca96e08fac548f59c9551a9a2b314881d56f
SHA1 hash: b0bbccd49547b22fa94a57e1036788dff876202d
MD5 hash: 92943fdfb238865c95c33f6a59f846d2
humanhash: earth-green-nevada-delaware
File name:92943fdfb238865c95c33f6a59f846d2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:849'920 bytes
First seen:2021-03-04 07:52:47 UTC
Last seen:2021-03-04 09:45:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:eKxTtS/py8HaP9phJ98Sm0W2QqkKLZc0clyhgbPWnirQep69MicVLqHdBLaXL+Yn:eJ/py8kG0FHdF0trQeyYm5YfJ
Threatray 2'947 similar samples on MalwareBazaar
TLSH FB05AE7076E95644F03A5B795AA035609BF7BC36DF10D10D7CA9428D4A33A82DB32B3B
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92943fdfb238865c95c33f6a59f846d2.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-04 07:56:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc8106f3-f1ee-4b10-9503-99aad497752b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122200/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.28896.6305.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/628309
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27ac9c73d4b8754ab44172a17f0823245f8f873a06b6d89fee7e925b9fb595d7/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 07:53:08 UTC
AV detection:
4 of 48 (8.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6wjy46uxb2uvncbokqx6cbderpy7bz2a23nrh7op2jfxh5vsxlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
013066864283e4be87e7bd39b6e75ef40e98014377d520ffd213a8de2d59923f
AgentTesla
1e107f01485dd3c413656b5e2d2fdb79166847cd8b3e5f6dc0bcf4895d530c39
AgentTesla
569d9358801eb518b152cb73009131508a3f14b136b0eb80025ccf438865a440
AgentTesla
7f0ea66dd72bb10bff78950f81838509cb29b28c3384ca0b7c1055b47cd3166e
AgentTesla
a67f9172ca1a41d7403d46be868448d83c1c80a1dbdd714b4122a62470ebb00a
AgentTesla
c40b3c5a2696e88864ddb4de1d3f1a9a93d50474908fb50aacda3a7b537b6b5e
AgentTesla
c7b35f96dd3b10e207d17ad146b9be7ea80ae88a0370ce0a5ae5f9681a87fc2c
AgentTesla
db246e1485ae9b8a9c333a9b2d717187ed367a154b5d96bd6dbb517400e1a1bd
AgentTesla
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
AgentTesla
fdd29486217d3f13351e6245fee6a892fc4f9c2a9d51e19dca7c8c54c05da3d1
AgentTesla
+ 2'937 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210304-qq3pd8dmys/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument
Unpacked files
SH256 hash:
f9d949d2f56c449c5d346bb93ed04d38426f563b022dd179ae330dab46682c3b
MD5 hash:
871e23d748ba756eaab5777708f250f8
SHA1 hash:
c9816d4ab38541aaab9aa3eab7cb4898d0b72e4a
Link:
https://www.unpac.me/results/3da03176-5f8d-46bd-9d67-52d449a0fcf5/
SH256 hash:
27ac9c73d4b8754ab44172a17f0823245f8f873a06b6d89fee7e925b9fb595d7
MD5 hash:
92943fdfb238865c95c33f6a59f846d2
SHA1 hash:
b0bbccd49547b22fa94a57e1036788dff876202d
Link:
https://www.unpac.me/results/3da03176-5f8d-46bd-9d67-52d449a0fcf5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/27ac9c73d4b8754ab44172a17f0823245f8f873a06b6d89fee7e925b9fb595d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 27ac9c73d4b8754ab44172a17f0823245f8f873a06b6d89fee7e925b9fb595d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1044828/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122200/
  
URLhaus
https://urlhaus.abuse.ch/url/1046628/

Comments