MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713
SHA3-384 hash: f4a4dca2cd8072dee2b55031162965b75e49cfc8643486ec5957ed14c9b0858c98711d3cf43a29b656cba8ec36482b9c
SHA1 hash: 8512adf44051d7c292b875d652128c25c7b5572e
MD5 hash: 4cf00a84b2a96c9f35910063eaadf02d
humanhash: music-crazy-moon-sink
File name:SecuriteInfo.com.Trojan.Packed2.42850.3598.29666
Download: download sample
Signature AgentTesla
Create hunting rule
File size:622'592 bytes
First seen:2021-02-22 18:14:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:SRdGqU+EnVfRXM9xPrUWDApnTWwquMPByRld0P/tF6Mcuksi91:SR6ptMDjinTWwSyM
Threatray 3'761 similar samples on MalwareBazaar
TLSH CED4697C313075AEC40E8C779A549C1096217026473FF132AB53F1AC960E6B6AE5FDAE
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118368/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42850.3598.29666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614407
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 16:13:59 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdsl5zn7ckbdnquuzjgguyqy5wasvyso54dusnlkq3fetgrga4jq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
379cb7e16563b36644d8ffee8ae650e59fff7241835f129d9b5436279d90a6e5
AgentTesla
5a2ce470fbe1babd44df83899f5909e3dcd031bc95de5a748f473f288084de7a
AgentTesla
5a3f9d251d83e67be84a067e354a950596478b1fc2cd6d6d1cbb07f6ca57b557
AgentTesla
77dafc4c23c98c2d0518eb6bcee7cfc13128c249dafc4d5faefbfb67425f40e1
AgentTesla
7c38652e82dd9a34d66d7f2086b55bd88db405974eed27dc8ac5ba3f15616729
AgentTesla
bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857
AgentTesla
cb145909667bd181409f1e14b6b2fd00ec9f8894ffaba82bd2b1888065e6a22a
AgentTesla
e49ea9c326ce0cfcf7c4795428cda9d52da65c670a31748b1cb067b14d6a3c83
AgentTesla
+ 3'751 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210222-jk46kwxayj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
8c3642169b28231b0db5122b36e12d22b52f1f4063fbfed05714e9c461fb89d0
MD5 hash:
e9525a40ec28fac98d8a47b43af91481
SHA1 hash:
e809dbdc0d71491ed576a33d6fce38c95a4755c6
Link:
https://www.unpac.me/results/3c93bfa5-6fc9-4bde-9481-a8722b6bb044/
SH256 hash:
f8c6e13328d903b4ac90d4b97569d59477e465ecc320aae93196da1033eb648e
MD5 hash:
97ead9d7b1f19634d5abfc7b6af04e69
SHA1 hash:
b4026fc4b1c4c5183f687eea9e341429262b9ef7
Link:
https://www.unpac.me/results/3c93bfa5-6fc9-4bde-9481-a8722b6bb044/
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/3c93bfa5-6fc9-4bde-9481-a8722b6bb044/
SH256 hash:
30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713
MD5 hash:
4cf00a84b2a96c9f35910063eaadf02d
SHA1 hash:
8512adf44051d7c292b875d652128c25c7b5572e
Link:
https://www.unpac.me/results/3c93bfa5-6fc9-4bde-9481-a8722b6bb044/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1024029/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118368/

Comments