MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28434e93c6162b374af586bada40d093c79cbf8b70b8574cff265a0b77da96a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28434e93c6162b374af586bada40d093c79cbf8b70b8574cff265a0b77da96a2
SHA3-384 hash: ad71b135a29f5f7c0d894acf3a9365740397757617b5c0813628c090da35745b66b34c046779c24e009b8da5cc7e7151
SHA1 hash: 0a31748e4f2cffb6d6eb93806bd434cd64a549f5
MD5 hash: a117bce3e65c1fffb7473fbbf2f3b708
humanhash: lion-harry-romeo-bakerloo
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'060'328 bytes
First seen:2020-12-21 15:06:13 UTC
Last seen:2020-12-21 16:52:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:BV4Mp/P54v+Ux3qGOIsEJ8J00gN4oqlla519aFpX94g4OE0+Zbq4uBJs46JTBWGL:nG
Threatray 10 similar samples on MalwareBazaar
TLSH 9A951E02498168CBD7B2D490A38EC2D6B38795DCE7EA6FD4BE10E21531CC467EBB9D41
Reporter fabjer
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisA117BCE3E65C.11963.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567478
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332820 Sample: file Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 60 mail.viewthroughmedia.com 2->60 62 viewthroughmedia.com 2->62 70 Multi AV Scanner detection for dropped file 2->70 72 Sigma detected: Powershell adding suspicious path to exclusion list 2->72 74 Yara detected AgentTesla 2->74 76 5 other signatures 2->76 8 file.exe 24 7 2->8         started        13 file.exe 2->13         started        15 file.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 64 pastebin.com 104.23.98.190, 443, 49715 CLOUDFLARENETUS United States 8->64 66 192.168.2.1 unknown unknown 8->66 54 C:\Users\user\AppData\Roaming\...\file.exe, PE32 8->54 dropped 56 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 8->56 dropped 58 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->58 dropped 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->86 88 Creates an undocumented autostart registry key 8->88 90 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->90 92 Drops PE files to the startup folder 8->92 19 file.exe 8->19         started        22 powershell.exe 26 8->22         started        24 powershell.exe 22 8->24         started        34 2 other processes 8->34 94 Adds a directory exclusion to Windows Defender 13->94 96 Injects a PE file into a foreign processes 13->96 26 powershell.exe 13->26         started        98 Creates autostart registry keys with suspicious names 15->98 100 Creates multiple autostart registry keys 15->100 68 104.23.99.190, 443, 49735, 49737 CLOUDFLARENETUS United States 17->68 28 powershell.exe 17->28         started        30 powershell.exe 17->30         started        32 powershell.exe 17->32         started        36 2 other processes 17->36 file6 signatures7 process8 signatures9 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->78 80 Tries to steal Mail credentials (via file access) 19->80 82 Tries to harvest and steal ftp login credentials 19->82 84 Tries to harvest and steal browser information (history, passwords, etc) 19->84 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28434e93c6162b374af586bada40d093c79cbf8b70b8574cff265a0b77da96a2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 15:07:04 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbbu5e6gcyvtosxvq25nuqgqspdzzp4loc4foth7eznaw562s2ra._file
Verdict:
unknown
Similar samples:
25d2c8bc76bef3a842796941b7311ab6db705db48f9e60663bd3939ac5dc22a3
AgentTesla
2e302bee38d2c734914bd99beb38bfbf483a8e90ac57306ede31c13bd6ad45d3
AgentTesla
3f1a2ec195c60a1f8789ac36368ae30a2b187858c957115bf88f40344bf0e6fa
AgentTesla
47fc6e8b1fcbd7a6b0955ffeb4a6b995b50964da04b50f8e52ef5e770ec68840
AgentTesla
7beab2868ef93af646071fd61c0ab535230c0f9972980e1bded8f49c9f5392ef
AgentTesla
841306e5cf2e504499e12c9eae0dbe7f693518555f58eb5e78adf259dbd116c6
AgentTesla
aecc8b6f1937b3569b06da9c6f1f0e4c115f773a93053da7a34a436857c8d889
AgentTesla
bb4d30cce0ba90d1d7a9d260281c8d8dba3e8365f131e4653ac5c32e43d37c4e
AgentTesla
d6605a4cf0c36d6f6aaead82b3718559c1b177ae6fb6102b340fa5651ea1a9c3
AgentTesla
f5562a50ad0ba34423dc9c5745c0b2c7f3e1cb73ddde48d678a1cb75b5024a6a
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201221-hvmff3hz92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
961b96b3282456e8d7768946fd8328b6c2cd21873a0ae57a0dc5b8acea8fd298
MD5 hash:
9ba661ba9be61afd9871325e91cea96d
SHA1 hash:
5bfa8f52de844d596702f071e11caf0fbc1b51bb
Link:
https://www.unpac.me/results/58e37c1e-8480-47b8-8c85-798c2fc4bf93/
SH256 hash:
86b155d63c484ee517ef676f165a10674463d533025e7cc95343cd03ac5d6162
MD5 hash:
7d0c657cce4e284683c49da56c48f469
SHA1 hash:
eed3416e10bdb25651ffa972879694f259ece747
Link:
https://www.unpac.me/results/58e37c1e-8480-47b8-8c85-798c2fc4bf93/
SH256 hash:
28434e93c6162b374af586bada40d093c79cbf8b70b8574cff265a0b77da96a2
MD5 hash:
a117bce3e65c1fffb7473fbbf2f3b708
SHA1 hash:
0a31748e4f2cffb6d6eb93806bd434cd64a549f5
Link:
https://www.unpac.me/results/58e37c1e-8480-47b8-8c85-798c2fc4bf93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28434e93c6162b374af586bada40d093c79cbf8b70b8574cff265a0b77da96a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 55d86ea8ecbeef22b629a0e78fb6dd5d675e5bcfc700a3e1bd25ea860f862c64

AgentTesla

Executable exe 28434e93c6162b374af586bada40d093c79cbf8b70b8574cff265a0b77da96a2

(this sample)

  
Dropped by
SHA256 55d86ea8ecbeef22b629a0e78fb6dd5d675e5bcfc700a3e1bd25ea860f862c64
  
Delivery method
Distributed via e-mail attachment

Comments