MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ac2a30975264ce09e13a0e42e522247f5aea52fd3b4decc41d7438245627910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ac2a30975264ce09e13a0e42e522247f5aea52fd3b4decc41d7438245627910
SHA3-384 hash: a5f7b8637f3bf5a0a60c42d6fc5294ab2dacb0ca2201e1f2836714dd67b3bc285c7032d3c276fb6dbcdc9bebf6e06a80
SHA1 hash: cabab3ca5b69e1067f86336d5e1e8154a75f4e87
MD5 hash: f11d69822a9d218e7d27b2f8ac95e841
humanhash: rugby-spaghetti-one-bluebird
File name:Bank details(Invoice)-4537658907653345427636716384-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:809'472 bytes
First seen:2021-04-16 00:41:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Fhq2oLsZ0pJzGpG+Vy/Dhxoy2SxccJLhVWcW1n0cMLQ5ZJwKW62pN+ZD7:Fg3YWH+sbX72SxccZhgcW
Threatray 5'088 similar samples on MalwareBazaar
TLSH C7058C9C3644B6DFC81BCA72C9A81C70AA216177D70BD217E01F219DAE4C697FE191F2
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank details(Invoice)-4537658907653345427636716384-pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-16 00:42:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9305d702-4742-40f4-ae07-174a40dff099

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/135655/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.658-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/678933
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ac2a30975264ce09e13a0e42e522247f5aea52fd3b4decc41d7438245627910/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 04:56:29 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=flbkgclvezgobhqtudsc4urci7225jjp2o2n5tcb25byerlcpeia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
065ceb0fbdc5edcda6be175b0448361decc0f48a88dabdf39bcd31e2bbea9c29
AgentTesla
2302969f8ff5abb62c46d76a401ee04542ecfdce39eea660d65afefef6d787ce
AgentTesla
4ee357dd7681ca5f80acaeb7d55df4432de5d370c73e6bb887e3461b6ed537f8
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
6852081626f57eba1e635368355e8f02ed800cb6d6066d40306daddd272223b7
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
903de95a30d55eaf9ecb49a0a310df96c215b51b25b3d3e8628adae14a94e7f0
AgentTesla
9c0f0d0cc0ccc691d505577cbcf7091f1d46321d76c62a468e33c6012197257d
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
f2b8b81f00aedfdce3806aa895884de0a003fbd4e6cc202e355630ad9fee4990
AgentTesla
+ 5'078 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210416-4mcncld3x6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e8f4be1feeeaf2484bdffd039fb65cc5fc9c8585816ea4e1c20e73ae919f1d61
MD5 hash:
5d4dfe93ecb7055873144455bf01bace
SHA1 hash:
90f3fd70890fe7efdfea4d58e00398564f902f2b
Link:
https://www.unpac.me/results/94bb390c-0936-48da-8b43-16915040ff3c/
SH256 hash:
96a9496fce930ed87bf0082301f154ed0f1d9f9e9e8f53e6b328f54a1da96699
MD5 hash:
33b648ed5dc6f7b6888504fa60523e19
SHA1 hash:
7035f93c5105c9ef85e5bb6039436ea6151b6873
Link:
https://www.unpac.me/results/94bb390c-0936-48da-8b43-16915040ff3c/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/94bb390c-0936-48da-8b43-16915040ff3c/
SH256 hash:
2ac2a30975264ce09e13a0e42e522247f5aea52fd3b4decc41d7438245627910
MD5 hash:
f11d69822a9d218e7d27b2f8ac95e841
SHA1 hash:
cabab3ca5b69e1067f86336d5e1e8154a75f4e87
Link:
https://www.unpac.me/results/94bb390c-0936-48da-8b43-16915040ff3c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ac2a30975264ce09e13a0e42e522247f5aea52fd3b4decc41d7438245627910

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

25aadba0fbdddd6e6a5e419f6852d2c0b4a1d3d12a60e7a59f7c851d7961feeb

AgentTesla

Executable exe 2ac2a30975264ce09e13a0e42e522247f5aea52fd3b4decc41d7438245627910

(this sample)

  
Dropped by
MD5 e7d295d8453758ef4398e2979dce60e6
  
Dropped by
SHA256 25aadba0fbdddd6e6a5e419f6852d2c0b4a1d3d12a60e7a59f7c851d7961feeb
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/135655/

Comments