MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35badde7665455f011683d9d8ce515444f0f12839abbd7ed7abe1d9a0d2fabbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35badde7665455f011683d9d8ce515444f0f12839abbd7ed7abe1d9a0d2fabbc
SHA3-384 hash: 088dbbd628ebfc7121d25aaa62c6fa7f508c101413139fa51d35fabc5901a53e2da8d728c670e94e8a900161042e545d
SHA1 hash: efa298a80f2d73ab9ca5a2eb81a8cc0fb2e77554
MD5 hash: 095890040e266299e4c30d7e9f57b217
humanhash: carpet-triple-skylark-lamp
File name:095890040e266299e4c30d7e9f57b217.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:451'584 bytes
First seen:2021-08-26 12:35:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SsUpKnq4bmg5l56yuPXO/x3Lw9g/34GM:Ss7b5bx8S3Z
Threatray 9'139 similar samples on MalwareBazaar
TLSH T177A4F12E3395AF90C5AC5571C6E7983443FAE9CB7237D3453E4806E94E023AC8D5A7CA
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
095890040e266299e4c30d7e9f57b217.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 12:38:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71528afb-f26a-426e-b426-be6897dd9b88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182622/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6890.1119.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecede8f4-8d80-43ef-a613-4b51620600a0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839924
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472357 Sample: 7yVswRFG5P.exe Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AgentTesla 2->35 37 3 other signatures 2->37 6 win32.exe 5 2->6         started        10 7yVswRFG5P.exe 1 7 2->10         started        12 win32.exe 2 2->12         started        process3 file4 19 C:\Users\user\AppData\Local\Temp\win32.exe, PE32 6->19 dropped 21 C:\Users\user\...\win32.exe:Zone.Identifier, ASCII 6->21 dropped 39 Antivirus detection for dropped file 6->39 41 Multi AV Scanner detection for dropped file 6->41 43 Machine Learning detection for dropped file 6->43 14 win32.exe 2 6->14         started        23 C:\Users\user\AppData\Roaming\win32.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\...\7yVswRFG5P.exe, PE32 10->25 dropped 27 C:\Users\user\...\win32.exe:Zone.Identifier, ASCII 10->27 dropped 29 2 other malicious files 10->29 dropped 45 Writes to foreign memory regions 10->45 47 Injects a PE file into a foreign processes 10->47 17 7yVswRFG5P.exe 2 10->17         started        signatures5 process6 signatures7 49 Machine Learning detection for dropped file 14->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->51 53 Antivirus detection for dropped file 17->53 55 Multi AV Scanner detection for dropped file 17->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->57
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35badde7665455f011683d9d8ce515444f0f12839abbd7ed7abe1d9a0d2fabbc/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 12:36:21 UTC
AV detection:
15 of 26 (57.69%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gw5n3z3gkrk7aelihwoyzzivirhq6eudtk55p3l2xyozudjpvo6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
302fa5500a1b8df5e1b37c2e79a28806110e93f6c3037b7ecb7e1d2864ba13d1
AgentTesla
43529598ea9bcb9fb6fd47e9554afbc39388856dee239751ba45c18186ac7346
AgentTesla
85ec9fb4bee90d873565b289a0165f8a543114e8f20b9725786fcb7900a36c4e
AgentTesla
b175b47baedbb3fca9f91e253535b99d735af5e9ea14e9644b2ce4851f8849ff
AgentTesla
b523f00e6fe208d0e59f58e0d45740017b0659821fc7f9daae35313eb1d9e80a
AgentTesla
e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8
AgentTesla
+ 9'129 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210826-pxb5mvgbcx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1987848583:AAHSwmprTFpvEybmL0ROJO4AawZ1x9yuNZs/sendDocument
Unpacked files
SH256 hash:
e03de31cbbd5724d5820e1c43cb822eb9fdef5b5193e87fd9016a48164b9acb5
MD5 hash:
b258b804055526bda2b59d1bf6ac08c2
SHA1 hash:
fcfc2c9cf42c732810a20d07a7e7d7fee738607d
Link:
https://www.unpac.me/results/97522638-b47f-47da-a4c5-790a999db41e/
SH256 hash:
0f242e89dd3f1685ace979a248300f7f414932b8a2a75af88585c427f2758c10
MD5 hash:
6646213e564d27b399891f8b4d153852
SHA1 hash:
c6d9757c53c4d25d2bdf80111b34c1d2fc66d4c0
Link:
https://www.unpac.me/results/97522638-b47f-47da-a4c5-790a999db41e/
SH256 hash:
1ab39b1d75677663df9151913e869c4cb2584ead6c87889cf51c5ede478664de
MD5 hash:
9e615fe0f02afb63931fe05f612c73db
SHA1 hash:
4e5f9ecc456a8394b371fb3560584674c7093d43
Link:
https://www.unpac.me/results/97522638-b47f-47da-a4c5-790a999db41e/
SH256 hash:
ce1db26303a463f35eee7f24b7594bf493b369cd2d8bca00b96d4683647df048
MD5 hash:
600c9533dc5511faded373c2fe4b25ab
SHA1 hash:
12c09d042507dd17d46546944355cb2f05f481eb
Link:
https://www.unpac.me/results/97522638-b47f-47da-a4c5-790a999db41e/
SH256 hash:
35badde7665455f011683d9d8ce515444f0f12839abbd7ed7abe1d9a0d2fabbc
MD5 hash:
095890040e266299e4c30d7e9f57b217
SHA1 hash:
efa298a80f2d73ab9ca5a2eb81a8cc0fb2e77554
Link:
https://www.unpac.me/results/97522638-b47f-47da-a4c5-790a999db41e/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/35badde76654/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35badde7665455f011683d9d8ce515444f0f12839abbd7ed7abe1d9a0d2fabbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182622/

Comments