MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa
SHA3-384 hash: 454cb856c1d7b86c047b944b809496d331cccecb9c61428b84a3289eeef8e866094f9adc64611318b31cdcba5b129111
SHA1 hash: 2dd4863f943be6f5d65b36f67e14ca41c8a9e535
MD5 hash: def405da75287251d103bbba79d2a408
humanhash: colorado-fish-south-football
File name:SecuriteInfo.com.Trojan.GenericKDZ.73158.24915.16250
Download: download sample
Signature AgentTesla
Create hunting rule
File size:754'176 bytes
First seen:2021-03-01 17:39:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PEsuK9gGk1YLxsdL2IUNeZnNLGVR5k5KxvF0Ai3LLUEMthvoPTG16KL:5sVcsoIUA+u5KvILCsG16KL
Threatray 2'933 similar samples on MalwareBazaar
TLSH A4F412651A711F14DD7903B413602EE463B86A3F4BEBEA1C6C85E1CB7253F926A0F907
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKDZ.73158.24915.16250
Verdict:
Malicious activity
Analysis date:
2021-03-01 17:42:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1bd7adac-0292-4ac0-be69-63709dce91fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120345/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.73158.24915.16250.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/622617
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 15:17:53 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfkauz7be7fspjaifnpgh56t3auwh7wj6vxfu447t4vruhufjova._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a31dde9dd611de5afef82eac6581588c5d8b034106a1f4eac68958b8bd526c2
AgentTesla
41c7c097e85a0c9ee40d1d92cd47bfff9fdb5752532a21e15c142fa3591eb7b3
AgentTesla
5872699b0d954f58213188b45927d5ad0708a0e2737abb2971d4ddfda06f4dea
AgentTesla
62ed61971c25cdb6b20b7408c0047a33c431c1ef636184fdf5dbaf979319edaf
AgentTesla
98a4aad3557b1ce781c3d2369b9823fdc1fb902643f923c73b5ca42c84ca25f7
AgentTesla
a095c691a509873aae63969bd42ddcbfad25a03b71d56329966df693a5604320
AgentTesla
a98a739b9ab7b06bf2833f6ef4aa97db1b7c2441365c7104e878c8b29bf90f74
AgentTesla
b67ab8fb362ddb271c827e44adf17bddb3c67f5d49c9d67c60797b04967c8442
AgentTesla
c18ee8f785af2b2aef01668ea83662281cb236af6b6405c65e01281635b20696
AgentTesla
ce76fc43c1ae2fc7d499a24d0d93b8ffae25e9d3ef6d6c8086e54ffd0d29ff31
AgentTesla
+ 2'923 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210301-csytak6w12/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d941c6eb7b5e2166cf5a1fe0777c9d68471a88cb45e5cd8d6557aa18ae019ef6
MD5 hash:
f59350d671c966a35b0894796b10999c
SHA1 hash:
c3fdc820aabdba9d92c5a5d751b2b75d37c7e7e9
Link:
https://www.unpac.me/results/81dc96a6-22c4-40d0-a2de-7ecaf1ae030f/
SH256 hash:
cd7f088730ccc9948d7b22669a2de9d2f6bddc371c6fc76e7b046315bacf1619
MD5 hash:
222ec6359ec7df5a497499cf4622e793
SHA1 hash:
22b4272503272a84b764e434c527ab4b9a4b1a76
Link:
https://www.unpac.me/results/81dc96a6-22c4-40d0-a2de-7ecaf1ae030f/
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/81dc96a6-22c4-40d0-a2de-7ecaf1ae030f/
SH256 hash:
39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa
MD5 hash:
def405da75287251d103bbba79d2a408
SHA1 hash:
2dd4863f943be6f5d65b36f67e14ca41c8a9e535
Link:
https://www.unpac.me/results/81dc96a6-22c4-40d0-a2de-7ecaf1ae030f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:enterpriseapps
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1040335/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/120345/

Comments