MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash: 31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
SHA3-384 hash: d6963291c21fc86ee622f1af5fb3878cedbe8cfda0b38a77ae98af53d1f08f58fb67e193f408553d2e5bb108ef468d8a
SHA1 hash: 1a115c8a1761ef2a2cf61d854d1d2c201c902d53
MD5 hash: 5d5f37a7cf3a9ff4277b3a9dc2c4b9d2
humanhash: london-pasta-aspen-lactose
File name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438
Download: download sample
Signature AgentTesla
File size:689'664 bytes
First seen:2022-05-04 12:34:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (29'903 x AgentTesla, 9'527 x Formbook, 4'668 x SnakeKeylogger)
ssdeep 12288:22L2IOI6QPAc9lIZx2tDPG2xMN1HHG05LZ524R8douFvjkntY9DTVYCsK5iZ1:22j6gz92AtDPGaMnnRBZ7+1F70481Z
Threatray 16'781 similar samples on MalwareBazaar
TLSH T18DE4126C66C64332EF7931F3F2F2498127367D6EB032E289ECA212DDC9927431555A27
File icon (PE):PE icon
dhash icon 0b3b5bb337d39b6b (1 x AgentTesla)
Reporter @SecuriteInfoCom
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
267
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438
Verdict:
Malicious activity
Analysis date:
2022-05-04 12:36:27 UTC
Tags:
agenttesla

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620228 Sample: SecuriteInfo.com.Trojan.MSI... Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 10 other signatures 2->45 6 SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe 3 2->6         started        10 ykVBUY.exe 2 2->10         started        12 ykVBUY.exe 1 2->12         started        process3 file4 23 SecuriteInfo.com.T...Q.MTB.14730.exe.log, ASCII 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Injects a PE file into a foreign processes 6->49 14 MSBuild.exe 17 4 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 29 api.telegram.org 149.154.167.220, 443, 49768 TELEGRAMRU United Kingdom 14->29 25 C:\Users\user\AppData\Roaming\...\ykVBUY.exe, PE32 14->25 dropped 27 C:\Windows\System32\drivers\etc\hosts, ASCII 14->27 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->35 37 5 other signatures 14->37 file8 signatures9
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-05-04 07:36:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
11 of 42 (26.19%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops file in Drivers directory
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument
Unpacked files
SH256 hash:
9b52832cba2ca16401f3ee80913288cc0990e4bb859d368e9140eabfc4cb61b1
MD5 hash:
1fde119432a953c3a13ff27289d05115
SHA1 hash:
c4eb26d6aad84f05b142da8333eb200d46db1f24
SH256 hash:
3243d10fb3155ddf3d51ed2077709323a4a2d60ebf0ed6a609dc70d64146d988
MD5 hash:
e051f90c6c830f6b676a709cbd6c17e2
SHA1 hash:
a3fd879869261309ce1fddac6c5df79477518a0b
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
SH256 hash:
b735b19e990928c43fc03bdbf3df89cb6260a6715f6f3c07a5d5a6f202e1b725
MD5 hash:
d251236c9304c03805582e1ca3205d9e
SHA1 hash:
1d0023b6dff1077f6eb47a5830a25c96abe09da7
SH256 hash:
31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
MD5 hash:
5d5f37a7cf3a9ff4277b3a9dc2c4b9d2
SHA1 hash:
1a115c8a1761ef2a2cf61d854d1d2c201c902d53
Malware family:
AgentTesla
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments