MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42620faec738135d77b2941759bec9377181b02f56003d8c0c400cc8ee40254e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	42620faec738135d77b2941759bec9377181b02f56003d8c0c400cc8ee40254e
SHA3-384 hash:	147b9e4a61a183e74b13789179bdb2979531309df450c45d54b42f2aba6d164909c4281a55fded2f35c8a613a78a6a35
SHA1 hash:	81057af1d6df4adca1e61a03f6205bef7acfcfcc
MD5 hash:	034825ea951f1833ddd2fe7604bbcf34
humanhash:	december-hotel-mexico-fourteen
File name:	SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.7165.10711
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	653'312 bytes
First seen:	2022-05-17 12:49:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:3smAvNcGWg/v0KYO5uSKflUOXm5xBFqZD/wWc84Etig:3smiu9gyO5w1Xm0DIWP4r
Threatray	16'797 similar samples on MalwareBazaar
TLSH	T147D4120976EE57ABD87D2BFD7440014463B1D2AD7912E6A80FC5E0EA2D5ABC01BC2F47
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	65e4d2eaecc4d859 (17 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.7165.10711

Verdict:

Malicious activity

Analysis date:

2022-05-17 12:56:13 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/d98f2495-03a2-4a91-9c42-39e8b51de9aa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/271596/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.7165.10711.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/62839a65d06ea2f4a072868e/reports/62cb2863-924b-4ed9-bb5c-09edd806d53d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20b29c2e-9875-40e4-b04d-b10d2c143f62

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/995833

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42620faec738135d77b2941759bec9377181b02f56003d8c0c400cc8ee40254e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-17 09:52:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijra7lwhhajv255ssqlvtpwjg5yydmbpkyad3damiagmr3saevha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

223d229605824345b0a52e8cda6b4b5cec4e538b4d8c0865aa639df10e1c8a31

AgentTesla

361613b915940a3b9f6aa8d702b16002474dad7b26df7f51f6310375c4e80326

AgentTesla

47e624d45a20608d4d50c5776a458ce37f60acfc43e2b70bfaa650336ed6b649

AgentTesla

7c6d1d088641bc7291bd027bc98daf4a1745759326caed316fcfd0deb57d589f

AgentTesla

d73763f8b8d4eb91dec386eb7a2ebf9a8a9b40c6b028d57e6144ed74551d460b

AgentTesla

f37a0441c66222c49723f8feae71cdce91423549228a852fb24a99fcb80c5e41

AgentTesla

+ 16'787 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220517-p2xxzscab5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

97527da0af9e8321eb6aa2c760bc3a6453341b0fef90c44595a02945c2dd3144

MD5 hash:

332f0164e6b19699174c491d839d6ec9

SHA1 hash:

eadeadeaf7bf3978d86d633bd054e4ff317ecc40

Link:

https://www.unpac.me/results/0af242fa-78f4-4855-bfde-ffadd64c024d/

SH256 hash:

11861f152e0dd3bf254c22194d289084ea30ca349db9ba812928400b8b92f46c

MD5 hash:

4e780cbb3dace77e8c9953a0011a4f41

SHA1 hash:

bd34f6848e459d177543688a2b64a844de07927c

Link:

https://www.unpac.me/results/0af242fa-78f4-4855-bfde-ffadd64c024d/

SH256 hash:

38ea0c52c82ecd63d1de931257ae271a1eb0057e0b7096d2d04461d277a5810f

MD5 hash:

403f2a28107189e0cb74c3376a97eee6

SHA1 hash:

9e012145a1053676f95a7beac1b136b72f51d0d1

Link:

https://www.unpac.me/results/0af242fa-78f4-4855-bfde-ffadd64c024d/

SH256 hash:

d2ff33af1920248a5f90aebc7519e8954acc856ce581109fb4e1f863d5cdd2be

MD5 hash:

b6c8900ae9dc4a12db22c42e91004ea6

SHA1 hash:

83eb71a2d4fd58fbb2dcb69181aa090e9f4c530a

Link:

https://www.unpac.me/results/0af242fa-78f4-4855-bfde-ffadd64c024d/

SH256 hash:

42620faec738135d77b2941759bec9377181b02f56003d8c0c400cc8ee40254e

MD5 hash:

034825ea951f1833ddd2fe7604bbcf34

SHA1 hash:

81057af1d6df4adca1e61a03f6205bef7acfcfcc

Link:

https://www.unpac.me/results/0af242fa-78f4-4855-bfde-ffadd64c024d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42620faec738135d77b2941759bec9377181b02f56003d8c0c400cc8ee40254e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/271596/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample