MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40ccb45b307f55135d9e754e4ef2033b9a6ac4c84596b0c6b4962d54221de710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40ccb45b307f55135d9e754e4ef2033b9a6ac4c84596b0c6b4962d54221de710
SHA3-384 hash: 74ffd9e49272684c5feb6f4cba11db0c1f5a8acb28a840d47b3e5fdeb0e0332c010c4fb86c1f6e816351a82db267ef30
SHA1 hash: 097ebc716d77adfa2a560b5d01871d7fdbecf805
MD5 hash: 6975893d5ccd286e04b879fdaf077393
humanhash: jig-london-happy-moon
File name:DOCUMENTS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'114'624 bytes
First seen:2021-10-01 07:55:29 UTC
Last seen:2021-10-04 05:06:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:sLvN+UP2iNNZmjKFX3s6i4S550OtTwSLV4o1KAaaaaaT5Uaaaaa:sLlZP1L9Ji4qGOtTwSP
Threatray 10'546 similar samples on MalwareBazaar
TLSH T1EE3547294DAE82F783EAC63CD04D0BCEDE65BDA37A514E1D8495B6D20277F0BE48845C
File icon (PE):PE icon
dhash icon 18c580ba2260e001 (11 x AgentTesla)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 07:57:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4edfb28f-98ac-4b04-a17d-bdf995f0f07e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193923/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1037-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/777acd22-00c8-4be7-baaf-9f2bcdb618d8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862570
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494998 Sample: DOCUMENTS.exe Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 45 pas-shipping.com 2->45 47 mail.pas-shipping.com 2->47 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 7 other signatures 2->67 8 DOCUMENTS.exe 6 2->8         started        12 tKZVPq.exe 2 2->12         started        14 tKZVPq.exe 1 2->14         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\bJvZUc.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmp5657.tmp, XML 8->39 dropped 41 C:\Users\user\AppData\...\DOCUMENTS.exe.log, ASCII 8->41 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Writes to foreign memory regions 8->71 73 Injects a PE file into a foreign processes 8->73 16 RegSvcs.exe 2 4 8->16         started        21 RegSvcs.exe 8->21         started        23 schtasks.exe 1 8->23         started        25 RegSvcs.exe 8->25         started        27 conhost.exe 12->27         started        29 conhost.exe 14->29         started        signatures6 process7 dnsIp8 43 192.168.2.1 unknown unknown 16->43 33 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 16->33 dropped 35 C:\Windows\System32\drivers\etc\hosts, ASCII 16->35 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->49 51 Tries to steal Mail credentials (via file access) 16->51 53 Tries to harvest and steal ftp login credentials 16->53 59 3 other signatures 16->59 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->57 31 conhost.exe 23->31         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40ccb45b307f55135d9e754e4ef2033b9a6ac4c84596b0c6b4962d54221de710/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 07:08:43 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idgliwzqp5krgxm6ovhe54qdhongvrgiiwllbrvusywviiq544ia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
54920b6428a47f26167fa633550d0dffb12ec4981ede7f4e7ec9ad08948432f1
AgentTesla
856c3abba6de3f00378613cc67649350a6e9b1867d8f2edede21e5b73d4da01e
AgentTesla
ad28a444141c8894fc961bb6a358c29bc063e6e1f140526a1cbc973f5966db79
AgentTesla
ced2482a9d4316028a8ae3edc49a1dbe1ecd1f76b1a4c6a682505d3b7dd78146
AgentTesla
e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5
AgentTesla
ec694537528f39e61c4a295e99932641ac2660f8580911790926294c4a190afc
AgentTesla
fc9727f2753b43b61dfd651efaf5adb6e43edd12564b54acf16c23756091b5f7
AgentTesla
+ 10'536 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211001-jspmcsbccm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/56ab584b-2f3d-4f4f-b24f-581af8625636/
SH256 hash:
562321766d0c59460804db4cb26734d7210285ba396f5daca7d95671b10afcfc
MD5 hash:
4baeea93a02f54b8a7e3764205d0d317
SHA1 hash:
5e48a80293f5a114dab4c0e6d75353da25d6c78a
Link:
https://www.unpac.me/results/56ab584b-2f3d-4f4f-b24f-581af8625636/
SH256 hash:
eb4256eb37f65900c8bd6deaf08b0cadbf41ad48ee70453ce4905e59dcefce85
MD5 hash:
a30cfe8969747bd922f95a2463767e9e
SHA1 hash:
373cdd86cea58e02ca21f64d8e5a9d7de9c6d0d0
Link:
https://www.unpac.me/results/56ab584b-2f3d-4f4f-b24f-581af8625636/
SH256 hash:
40ccb45b307f55135d9e754e4ef2033b9a6ac4c84596b0c6b4962d54221de710
MD5 hash:
6975893d5ccd286e04b879fdaf077393
SHA1 hash:
097ebc716d77adfa2a560b5d01871d7fdbecf805
Link:
https://www.unpac.me/results/56ab584b-2f3d-4f4f-b24f-581af8625636/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/40ccb45b307f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/40ccb45b307f55135d9e754e4ef2033b9a6ac4c84596b0c6b4962d54221de710

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 40ccb45b307f55135d9e754e4ef2033b9a6ac4c84596b0c6b4962d54221de710

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/193923/

Comments