MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e777e70551c8ea57aeadde329983b3e7cce6ae9b457c4903db6eb02d1a5371a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	2e777e70551c8ea57aeadde329983b3e7cce6ae9b457c4903db6eb02d1a5371a
SHA3-384 hash:	dd936b9e7c39c9fcad5020b1a2b31497aa56bbc50cf40e6db23a6c52b907318393f18c6b405993668ee89fe05b3e3478
SHA1 hash:	133e948130f40f761c7170c413b03ec020239309
MD5 hash:	12030262a5221f381d6f7e0171b00537
humanhash:	double-bravo-massachusetts-eight
File name:	JOkgV66HDkLxaVO.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	776'192 bytes
First seen:	2021-04-16 15:26:17 UTC
Last seen:	2021-04-16 20:05:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:WUt4Qzjvuup1WKcr64S+o0bTVwx4ew+sGr2xxEpSEDxVzRRRRR:Wbe6upQK4JogTVwOew+AwpSED/RRRRR
Threatray	4'007 similar samples on MalwareBazaar
TLSH	1BF4E0083298912AD3ED77BC1FA0C53043B86D0D5A16CB1D2AF16DAF35FE707D512AA6
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

JOkgV66HDkLxaVO.exe

Verdict:

Malicious activity

Analysis date:

2021-04-16 15:32:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7ed8f12c-f292-4eec-b60c-5282c6876ccc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/136263/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46111050.27659.23950.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/681127

Signature

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/2e777e70551c8ea57aeadde329983b3e7cce6ae9b457c4903db6eb02d1a5371a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-16 15:25:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fz3x44cvdshkk6xk3xrstgb3hz6m42xjwrl4jeb5w3vqfunfg4na._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1374869c60aed3ac4e36b96fc525bc5b1a02f1c51a1eba44cfb46ede8c9b676c

AgentTesla

1a5421663abc706ce1c326cd443f5aba56108c99ef8e885261366aabf2e2f915

AgentTesla

26b048d3a6ed74b12a81a258814b966fa8176e18c4d88fa18ac1313903da2c45

AgentTesla

462643fe63b5e4b31db25550dca89220bc47a4f3cc7ce49abf21721e60856a8c

AgentTesla

55dee6475ed6ea1cfb43a31212f428175352d010544945ad7cdc5341cc388da4

AgentTesla

5842f3956659c2e81a88473dfd7603182d4e43cd8120e24a61189e7a43541751

AgentTesla

90dea85ad9ae332c6f09cb3e9852515e3ae4eddf9e59b5aca5d0c7e94ab8bbbc

AgentTesla

af1d434f702045685e163c36d8d24098389e7675eed56ae34a90532764df2d3b

AgentTesla

f9ac482ceccf651bfb9fb322fb71f94a3ae3a64a2113541fcd888d40d305898c

AgentTesla

+ 3'997 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210416-5nwakjes4n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

e33b0d0b4b86f0dbb3d1278e68e88a650e5f3350694efb70be313761197b1969

MD5 hash:

471161f6f24e5d26b2db3e0ee18e80b5

SHA1 hash:

ed98f1178a5fe4b86fe0f7e4cd5ebbfba7483a30

Link:

https://www.unpac.me/results/98e268a6-2f50-4ea5-9b2c-8faf6b19d24d/

SH256 hash:

2e777e70551c8ea57aeadde329983b3e7cce6ae9b457c4903db6eb02d1a5371a

MD5 hash:

12030262a5221f381d6f7e0171b00537

SHA1 hash:

133e948130f40f761c7170c413b03ec020239309

Link:

https://www.unpac.me/results/98e268a6-2f50-4ea5-9b2c-8faf6b19d24d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/2e777e70551c8ea57aeadde329983b3e7cce6ae9b457c4903db6eb02d1a5371a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/136263/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample