MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28b2b5c3fae82a65479f962e52827cf99805c9e8fff86dd9d910d025b9ce273b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28b2b5c3fae82a65479f962e52827cf99805c9e8fff86dd9d910d025b9ce273b
SHA3-384 hash: 560164342b1a461a8707705b7a0ee3b50e743f734b3148f6117f04bea77089a4f4b36d952092f695de10872d24703ef1
SHA1 hash: 7611f4395d5573674d2a581c9a2be7ec914d5abe
MD5 hash: a44e848013930cd79501dfac54ff94cb
humanhash: pluto-double-avocado-grey
File name:UCHA-23072021074020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:252'049 bytes
First seen:2021-07-23 08:19:11 UTC
Last seen:2021-07-23 08:39:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b89f3af6e8726c625cba8a18b46cbaf3 (2 x AgentTesla, 2 x Formbook, 1 x OskiStealer)
ssdeep 6144:8aodjfLqNBF8hphbmAtricSl4hE5btTlbOUZXFS72JEMQRVfr9wr:q+AtPSl4y6wiXf6r
Threatray 7'273 similar samples on MalwareBazaar
TLSH T1E434E0AEBF5DF705F40201B4B930E1AE45213331289F506BB7E8771B58D169E8C6AE17
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UCHA-23072021074020.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 08:22:46 UTC
Tags:
trojan rat agenttesla stealer
Link:
https://app.any.run/tasks/9afca997-5f9e-4439-ae29-cb8eb3d86db3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173557/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.24658.19592.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/922c5bc5-91ff-4f9c-8388-ca16d4747f40
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820621
Signature
.NET source code contains very large array initializations
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28b2b5c3fae82a65479f962e52827cf99805c9e8fff86dd9d910d025b9ce273b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 07:14:30 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fczllq725avgkr47syxffat47gmalspi774g3wozcdicloooe45q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
1c4cbe5a3adfa0a596eabff32c6a43fe2f5fc2be1dcf71bddbd0c1200d7451a8
AgentTesla
1df6109d033a42d97b34133e69afc0da679586b85b6614b034ebfd9343062d20
AgentTesla
70674069969b2ce934604004d648a59e7d5460589f6415f93ad5a070fb8e7910
AgentTesla
9faaaef82bb4be60e65e7182bf8015d2a25fb7b2cecf59f0573f36fcc8635eeb
AgentTesla
ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8
AgentTesla
d2900e5f43d302add8c33e39ac9949ea94e3b927a3d56611b60b8e81f4768fbd
AgentTesla
d7f849c08fc614aceac5bc6fd83986854d04b5187da537ecc0a7def3f4a8250a
AgentTesla
db9adfc3807ddd2dc36e0e95b8960fbb539764d97b3d7607e3096433719a44ca
AgentTesla
e2de0b373a9d111b124bcb175d7d9a253cc0cd7ce8dc1dd6d90ce7eb0e205def
AgentTesla
+ 7'263 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210723-vzkpehz8ke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
http://6llion.com//inc/cbc38431b42dd0.php
Unpacked files
SH256 hash:
1dceb42e4363cf7f57d3b0734fd7c0320b2a4a9983b267792b1315bbdc13a814
MD5 hash:
9c7d265c8b3fc51383632aadef388015
SHA1 hash:
b76b023987c44bc6d953dc2bd2bba32424a137e2
Link:
https://www.unpac.me/results/781facac-7520-4acb-84c5-e9a8de180c31/
SH256 hash:
28b2b5c3fae82a65479f962e52827cf99805c9e8fff86dd9d910d025b9ce273b
MD5 hash:
a44e848013930cd79501dfac54ff94cb
SHA1 hash:
7611f4395d5573674d2a581c9a2be7ec914d5abe
Link:
https://www.unpac.me/results/781facac-7520-4acb-84c5-e9a8de180c31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28b2b5c3fae82a65479f962e52827cf99805c9e8fff86dd9d910d025b9ce273b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 28b2b5c3fae82a65479f962e52827cf99805c9e8fff86dd9d910d025b9ce273b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173557/

Comments