MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 427be513177bb1ca578b4258f68dca288046a5c3ac8044560e45971649a00e3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 427be513177bb1ca578b4258f68dca288046a5c3ac8044560e45971649a00e3b
SHA3-384 hash: 39000d2595625428273c665a244d4a2064d2588d3e9b345f7b4d320e892b450335d6a8d208ba735e47d21d0f5f9a6a7b
SHA1 hash: dbf4b97e5fb53584ce292ef52522c39835c40a64
MD5 hash: a10aa0e7766ae73dde7d42df0bc09ecf
humanhash: table-hotel-north-black
File name:Request for quotation against visit to your website.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:910'848 bytes
First seen:2021-09-21 15:53:25 UTC
Last seen:2021-09-22 05:17:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:3GA/7xzyoNQA0vDWd1PFhsMQU1prH/Ukp5jzJa+MI6dTEVTfU2432tDON0fGJFZ:35xztv0Sdza8rBBaJDdElfBO64
Threatray 10'097 similar samples on MalwareBazaar
TLSH T11F158C394D2682F787EEC62CD08C1FCEDAA6A4837B919F1AD496D7C2025770FE49845C
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for quotation against visit to your website.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 15:55:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17b6a6da-00f2-422e-8036-8edcc691ad32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189931/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1037-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9c2bf38-e65f-400e-8c4c-5def15c43422
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855056
Signature
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/427be513177bb1ca578b4258f68dca288046a5c3ac8044560e45971649a00e3b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 15:39:41 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ij56keyxpoy4uv4lijmpndokfcaenjodvsaeivqoiwlrmsnaby5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5
AgentTesla
438a50c5f70ae621fe841b4e374fb6ca497eea812ed0a12747ebcfa6112b0c31
AgentTesla
4d19b474c3c20fc0911d7ae5cbbd632c5302327679615f52eb8152d0bba0d643
AgentTesla
68051ee97e00b1657b979c43537340b4fdd319c1ef14f7a4fd410c8dd7da2157
AgentTesla
8d33ac3a6ed3e4e8608757bf57424e201c94f5418eb24d7a921fc9116d595c88
AgentTesla
8ee66437262784d5fc5dcfa68d751bf0425e99fbeff67c8f01572f9404cee6f1
AgentTesla
c1f5b077bfd34cafcb3bb09361463329ef58c3692f13fcc6d2ffe01b55d734e2
AgentTesla
f2df3607d9bf52dea479cec85419189bebdf7030c4c6fbbaa7ee18e4996a3013
AgentTesla
f53b6d36630cd089f95cc2127cb9c564068512d6a4a4eaec1fe95e25f7f32d1a
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 10'087 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210921-tb8zsahhg3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
8add9a32ce4d281dbb283b2403ed6dd8454929450e0e201c99799838698befaf
MD5 hash:
7cca0844c1daac14de989004067a2a70
SHA1 hash:
ca7c1dac5ca7984065ad43c3b6fbe0a373f49083
Link:
https://www.unpac.me/results/d6980379-768d-43cc-828c-b3bd78dd817b/
SH256 hash:
ee2e037d729f27454ee1c2766cdcc947f5fe89aa8e8d4551b18b48ce6a85c334
MD5 hash:
8367ce58174d6b20ee3bec50e4d07b6a
SHA1 hash:
8217b3658f73381b6c8a4c17a50a88071699e44d
Link:
https://www.unpac.me/results/d6980379-768d-43cc-828c-b3bd78dd817b/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/d6980379-768d-43cc-828c-b3bd78dd817b/
SH256 hash:
427be513177bb1ca578b4258f68dca288046a5c3ac8044560e45971649a00e3b
MD5 hash:
a10aa0e7766ae73dde7d42df0bc09ecf
SHA1 hash:
dbf4b97e5fb53584ce292ef52522c39835c40a64
Link:
https://www.unpac.me/results/d6980379-768d-43cc-828c-b3bd78dd817b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/427be513177bb1ca578b4258f68dca288046a5c3ac8044560e45971649a00e3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 427be513177bb1ca578b4258f68dca288046a5c3ac8044560e45971649a00e3b

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189931/

Comments