MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35fe897b8b1d0328d99b94ec0e22de210bc3f0564a8e34a438f313fc202db999. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35fe897b8b1d0328d99b94ec0e22de210bc3f0564a8e34a438f313fc202db999
SHA3-384 hash: 0b6b4c1c9c92fd1ee07626aa299ddc14d7958d6d3bf3dd4828df39d2e6a63a7c5fc99d75db753b30d9ac69eb9eee18ee
SHA1 hash: d7c092eb1f3e8f75253e06745c567787fceda3d7
MD5 hash: dccdd80a837c0fde13e1e39a65fc6c36
humanhash: mars-utah-edward-arkansas
File name:x56cabmancr.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:977'408 bytes
First seen:2021-01-29 18:23:34 UTC
Last seen:2021-01-31 09:09:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:jFUid1BhHs6ya4C6XkiO+gK3LdNQZoAVqn8HF2b:xUgnCPtgGLd2ZoVQ
Threatray 2'334 similar samples on MalwareBazaar
TLSH 0125DF25262C5B6CF0BDA77982640900E3F6F923D332EA4E7DD950CF2956F85C752B22
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x56cabmancr.exe
Verdict:
Malicious activity
Analysis date:
2021-01-29 18:25:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/af8ecc37-6cf5-4208-876e-021bd9d33c94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114852/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594298
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35fe897b8b1d0328d99b94ec0e22de210bc3f0564a8e34a438f313fc202db999/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 18:23:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gx7is64ldubsrwm3stwa4iw6eef4h4cwjkhdjjby6mj7yibnxgmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
33c6ab107de081461d6f7b67d5d120efc3dd15ba75351d9a564884d6368078fe
AgentTesla
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
AgentTesla
451381760beee5124df9d6fe4d2a447dfcb420473800e9004d86159a0396547f
AgentTesla
4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
8bad16db1bd40fbc6e6fa8a9a9efd9f3bf8e95dd83af238625ee3f1f1ff1950c
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
e12243e5bae35e437f9e88665c52d3b5086cc5dab0eb5c682132a288625b023d
AgentTesla
fcd3fc0e0c174c30b7e47217e65c18db028d52f2ef52c5f1b387b3c27f36b5ab
AgentTesla
+ 2'324 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210129-87gkrptjva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
73861cd1faf5268f3f0e6fd4285d49d2279a2d646379a85834cf3b94580e2b20
MD5 hash:
0e9ed7661f6bf1856c390b368bae8111
SHA1 hash:
f7befc415fdf6b7cbc7a95fa8854b233215ab2c9
Link:
https://www.unpac.me/results/485c3fd9-6dbf-494f-89cf-bf44b963c982/
SH256 hash:
845e24b9186693413fcf6e0e797cd5db7fbade82b67954d76cf23ebf1747d221
MD5 hash:
c77c5b2c4404126f53eb0a81c4e07518
SHA1 hash:
c195204fdad99a61de62f0c1bc6b8ee8042ee807
Link:
https://www.unpac.me/results/485c3fd9-6dbf-494f-89cf-bf44b963c982/
SH256 hash:
0c434e2f08fe31d7b6adf5a60b6374c1adb5df76d91a18b957178f25181f9e84
MD5 hash:
be9abda6936822b0717b582887039ad5
SHA1 hash:
a848087aa0728338c8737940cb90245fb434132d
Link:
https://www.unpac.me/results/485c3fd9-6dbf-494f-89cf-bf44b963c982/
SH256 hash:
35fe897b8b1d0328d99b94ec0e22de210bc3f0564a8e34a438f313fc202db999
MD5 hash:
dccdd80a837c0fde13e1e39a65fc6c36
SHA1 hash:
d7c092eb1f3e8f75253e06745c567787fceda3d7
Link:
https://www.unpac.me/results/485c3fd9-6dbf-494f-89cf-bf44b963c982/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35fe897b8b1d0328d99b94ec0e22de210bc3f0564a8e34a438f313fc202db999

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114852/

Comments