MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29de5551fec97c48913146a38aaff2e78e6c244ab88174820efad94137b004b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29de5551fec97c48913146a38aaff2e78e6c244ab88174820efad94137b004b8
SHA3-384 hash: 36dfa1ac221cc5a930f3211ca87e5292b580758b9e1eafd7a371f5804d120af565e0e265bdb0b15ca6f76bbcb96a0995
SHA1 hash: 9be1c5fff0ff1ee0694e040e4357a27f5549a784
MD5 hash: cdbe04f165c478d3c4e69a5304b6ed9e
humanhash: virginia-lake-fifteen-grey
File name:cdbe04f165c478d3c4e69a5304b6ed9e
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'084'928 bytes
First seen:2021-07-15 14:43:58 UTC
Last seen:2021-07-15 17:47:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Y82By4MoYWHSPvHbAK4QErvFvIjdwFrt0d39iAF/IQCd17DQ9D7Dw3LuAw2scu9C:Ey4MoYTAQ5wbe39i11v67MvPexC
Threatray 7'175 similar samples on MalwareBazaar
TLSH T1E935F1253BC0AB8FCB3E4D728543581096F0D6272607E6C27CE352DD648E7959B226FE
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_20210715 & PO#2021.doc
Verdict:
Malicious activity
Analysis date:
2021-07-15 13:46:03 UTC
Tags:
trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/ac426e1e-1940-46f7-88bb-af521d592ec0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172022/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.3036.10700.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6bb788a-c37b-4f25-be11-296464608666
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816994
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449405 Sample: 8pOKNeu63F Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 6 8pOKNeu63F.exe 3 2->6         started        10 qXLPL.exe 3 2->10         started        12 qXLPL.exe 2 2->12         started        process3 file4 21 C:\Users\user\AppData\...\8pOKNeu63F.exe.log, ASCII 6->21 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->49 14 8pOKNeu63F.exe 2 5 6->14         started        51 Multi AV Scanner detection for dropped file 10->51 53 Machine Learning detection for dropped file 10->53 19 qXLPL.exe 2 10->19         started        signatures5 process6 dnsIp7 27 smtp.tqexports.com 14->27 29 us2.smtp.mailhostbox.com 208.91.199.225, 49761, 49762, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 23 C:\Users\user\AppData\Roaming\...\qXLPL.exe, PE32 14->23 dropped 25 C:\Users\user\...\qXLPL.exe:Zone.Identifier, ASCII 14->25 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file access) 14->33 35 Tries to harvest and steal ftp login credentials 14->35 37 2 other signatures 14->37 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/29de5551fec97c48913146a38aaff2e78e6c244ab88174820efad94137b004b8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 13:02:47 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhpfkup6zf6erejri2ryvl7s46hgyjckxcaxjaqo7lmucn5qas4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03ef8714bc60d14808b9d17373c5e34198a4e7a60cdebab1e18f9e49c394f7d1
AgentTesla
05d2cc58039f7d736dcaea7fc43415966758d7befeabf4be9d15ec4f0bb4431e
AgentTesla
18cca7f8a3ae47663c63d5e554d38168fabc317b83a512a0d40c237cf0db5002
AgentTesla
5af4dfcb3e6c84a81b3c51962c9f32a5f24ebed2edefa5b12f1965ad6ce84619
AgentTesla
5b9fe0bbd0638b97634496cb4cd1a6b29da81ae64cc441b67d6fd825d992b9d9
AgentTesla
8b74dd8b1c02a739ef72d1e34bf011c0838e83b9a16a1f7d3eec3bff7c572590
AgentTesla
a2f1773e4b9146563dbf711ca1462448a7a847f8b6660424f72faaa5fa9b20d4
AgentTesla
b5cda4879c63a2c1981737153ed7833d1723c3548dc46971ce09a7a4f515f396
AgentTesla
cf81c86cc82a3ffc8d21661e1042d2e4d9807828563d2d00a0a2079095eeac1e
AgentTesla
+ 7'165 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210715-k8lxtjts8a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
fb3baaf4745ccd5c427ec5923c177cd887c7389c954b5fd459af27ede50cd737
MD5 hash:
5e08ac03a98d03a737ca6dd3047dd123
SHA1 hash:
88f418cd70fb6d78fc391d3f30867df06688e766
Link:
https://www.unpac.me/results/69f99f72-06b1-4d1d-8eeb-ccc2444b8e42/
SH256 hash:
35d8c2086e17d57c05b5feeae9adcf4d9ae2cca1b122a6b257f1d5394eecf4a2
MD5 hash:
10d9fd61028030b1115aaed8a7a17896
SHA1 hash:
7a83d99b1b9b8338ce47b99207a278305de2e1f7
Link:
https://www.unpac.me/results/69f99f72-06b1-4d1d-8eeb-ccc2444b8e42/
SH256 hash:
29de5551fec97c48913146a38aaff2e78e6c244ab88174820efad94137b004b8
MD5 hash:
cdbe04f165c478d3c4e69a5304b6ed9e
SHA1 hash:
9be1c5fff0ff1ee0694e040e4357a27f5549a784
Link:
https://www.unpac.me/results/69f99f72-06b1-4d1d-8eeb-ccc2444b8e42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29de5551fec97c48913146a38aaff2e78e6c244ab88174820efad94137b004b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 29de5551fec97c48913146a38aaff2e78e6c244ab88174820efad94137b004b8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1456751/
Cape
Cape
https://www.capesandbox.com/analysis/172022/

Comments


Avatar
zbet commented on 2021-07-15 14:43:59 UTC

url : hxxp://pwanroyale.com/wp-admin/new.exe