MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 356de4efe4fac16315678d89d906b4e6ee7a7ff7c8bb4dacebaa4f0ef573211f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	356de4efe4fac16315678d89d906b4e6ee7a7ff7c8bb4dacebaa4f0ef573211f
SHA3-384 hash:	23cb7b7bfbf6a830584a0b866c6b35def551dc425be735d860aca97cbec2bdb2373af2106a216cd214b18f35bd00be4e
SHA1 hash:	a57eb5230792b3a1efb0c71526942d58d1b4b080
MD5 hash:	b3b1c133187501eff921f2077bb07d78
humanhash:	violet-xray-missouri-red
File name:	Rpjz1pyVGhjBUG4.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	835'584 bytes
First seen:	2021-08-10 12:56:48 UTC
Last seen:	2021-08-11 13:08:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:jkZHU1FQigRoL0GfOcWxbdOCsAOxznpDZpSINKPKj:QZHU1FNXZmcyWA
Threatray	8'157 similar samples on MalwareBazaar
TLSH	T17E05F169B780BF8DC07A4E75C4025400DBE1E6776707F3CB2DE219DC5A8E69A8E23356
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Rpjz1pyVGhjBUG4.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-10 12:59:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/068424de-4546-4d76-aba2-7f95e2da052d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/177918/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37375345.19158.16114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c57b3bcf-a19f-461c-b876-375a1fa9ff10

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/830155

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/356de4efe4fac16315678d89d906b4e6ee7a7ff7c8bb4dacebaa4f0ef573211f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-09 22:52:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gvw6j37e7lawgflhrwe5sbvu43xhu77xzc5u3lhlvjhq55lteepq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1a7b47cb19815654a494cf57cd5f786d4e93137ecfff90371e9546b248c8b635

AgentTesla

931a752444d02c98b75e8062756baa88f000d0ccd2cc05044280fb0e9ed7771d

AgentTesla

9423b7f41de10ed83754fae0f0915001144922c927f51c36b94036a707a09f31

AgentTesla

acb87595a5ea8141149502c5f1616c9f8c38f8a183ce496d638f7ae094c29581

AgentTesla

b1288d6b5330d9bb5e398c328f22d4d6c4792cf73e347e5a74ee4180f8595776

AgentTesla

+ 8'147 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210810-1k8mzpj1y6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

e31f6764af07128172c5117fc7278b8de7c195b0e9ca65f1adfd88a8db80c23e

MD5 hash:

49ec6727a378a954b86e43fd5faafa7c

SHA1 hash:

a72942601ef6da2c0282e1ab6f49b2b8c667725f

Link:

https://www.unpac.me/results/bc51db3d-7767-4a6f-b781-c8354d1f17f3/

SH256 hash:

edd9fc97fb393351e6f56f34bfa5e0da3c5d1daa953d5ee8530d9af2f03e60de

MD5 hash:

124b940343318acf9031ea470cae0847

SHA1 hash:

937d41ccca5ca05302e638f5f64fc5703ddc32ae

Link:

https://www.unpac.me/results/bc51db3d-7767-4a6f-b781-c8354d1f17f3/

SH256 hash:

ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc

MD5 hash:

6057ce35bd926dd6d49dedfa9cc18372

SHA1 hash:

1f4e44e1740ffbd91129ac3a37d22845bc52c158

Link:

https://www.unpac.me/results/bc51db3d-7767-4a6f-b781-c8354d1f17f3/

SH256 hash:

356de4efe4fac16315678d89d906b4e6ee7a7ff7c8bb4dacebaa4f0ef573211f

MD5 hash:

b3b1c133187501eff921f2077bb07d78

SHA1 hash:

a57eb5230792b3a1efb0c71526942d58d1b4b080

Link:

https://www.unpac.me/results/bc51db3d-7767-4a6f-b781-c8354d1f17f3/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/356de4efe4fa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/356de4efe4fac16315678d89d906b4e6ee7a7ff7c8bb4dacebaa4f0ef573211f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/177918/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample