MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9
SHA3-384 hash: 07551f2e5d6caaf7acc899149105d7d3ae56acf6467bdc1ec501987c4c43cf85b1b751c33a227a9915c0f9ec518c678e
SHA1 hash: 16185b8703d985bbc7f6f8bf67535087a1914a7e
MD5 hash: 1b7c733ed90746e39840f69d9eac4716
humanhash: moon-high-kilo-robert
File name:SecuriteInfo.com.BehavesLike.Win32.Generic.vh.16457
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'179'072 bytes
First seen:2021-02-05 14:05:41 UTC
Last seen:2021-02-05 15:03:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:aj514AwpK6SGez5N3Dqm0lCQVLvQC50lwkyLvW:wlqRlCaL
Threatray 2'453 similar samples on MalwareBazaar
TLSH 7AA5D49D365077DEC817CE368A681D64EBD0B87A870BD203A06326EDEA5D957CF140F2
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BehavesLike.Win32.Generic.vh.16457
Verdict:
Suspicious activity
Analysis date:
2021-02-05 14:06:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d6f340d0-683f-4868-8aba-6eb1e4164d6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115741/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.vh.16457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600267
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 11:39:20 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idqqkbyz7jr3aah3dysusuijrru6wlvm6lq6vcdf3xvjd4jjbcuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
0f077fb618914c9f987dc7975a5e4c6372234ca35c292de29d864c494910928c
AgentTesla
1f57778e5448ce6d8834f523299fc5ba868636556c993a4b5f3faabacb36c993
AgentTesla
5c8ba975c1ec2a2fe0c98e5e1cd0ba61b415ba7667f5a7c95ad383abe4ba92a2
AgentTesla
9898c37e93d4e9a054c013f34ca57c1aa9130112c9104386219f94e1125d0b97
AgentTesla
99c823dce3f531e2a4d5c7ac84b74bb630cb344f281519927d4c202c8bac1720
AgentTesla
bee8a143562146fc38a4d02e59d2f2e280dc0a547cda9983dfde0aacdea4e99e
AgentTesla
c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25
AgentTesla
de9d415f8380055c8fc1a2239b7e1e85f29f0f1ba780c7bb2b9e2921dad93123
AgentTesla
ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
AgentTesla
+ 2'443 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210205-4rcfdtwp7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
cecfe54b6d8e78ba477a0a169b472f99db645c5c442c2f4288f0af20461cb908
MD5 hash:
0ecba4d9093e400c2ee2110eff94d785
SHA1 hash:
6eab27c2e55299e99f252a18eea93b18ca2242da
Link:
https://www.unpac.me/results/5c9fb493-f622-42a9-8b83-54351b91a4d7/
SH256 hash:
af628a5815b8c8923cac3e9ea7ffaed39a61f5094e44a9e88d3455489256b762
MD5 hash:
4f8bec947dc72923de3fa7cda7935d83
SHA1 hash:
56764b0585f78a35cc8341c1b3b1b8f42a0f5f81
Link:
https://www.unpac.me/results/5c9fb493-f622-42a9-8b83-54351b91a4d7/
SH256 hash:
da89a88e05df3ec421c786fa3f8036b284a673ac3cb24184202dfbc4855ae53c
MD5 hash:
d3a4a70da2912d632728aa473a89e599
SHA1 hash:
cef3a0c1c43edf20f12943ca624dfffac9cf9d29
Link:
https://www.unpac.me/results/5c9fb493-f622-42a9-8b83-54351b91a4d7/
SH256 hash:
40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9
MD5 hash:
1b7c733ed90746e39840f69d9eac4716
SHA1 hash:
16185b8703d985bbc7f6f8bf67535087a1914a7e
Link:
https://www.unpac.me/results/5c9fb493-f622-42a9-8b83-54351b91a4d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/990972/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115741/

Comments