MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9
SHA3-384 hash: a16e9e8fef7264ef11dae156cefd85338c03b85792760dff80bdb11ddaf7c1833e90b6fd33fa4a4a0eabf8d733cbd6f8
SHA1 hash: c0117c587dc77f64fd354c62a1f1d0f17857b626
MD5 hash: 4f08087e56b8b3d5da9cb72a3883d880
humanhash: low-item-berlin-wisconsin
File name:Dekont20210625_83772666552532.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:270'614 bytes
First seen:2021-06-25 10:19:31 UTC
Last seen:2021-06-25 13:03:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 6144:sTqjFoWiUXO+09PqbgXidBI+nlPSDxvE4IBg9fS:sxVPwyLca9fS
Threatray 6'133 similar samples on MalwareBazaar
TLSH AE441297BED1C4BBD4531770897A7FB5F2FEE30CC152640303661F2BB8632A98A52196
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dekont20210625_83772666552532.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 10:21:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/beb26bf1-2a3b-4453-aa7c-8bd1306ed681

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168295/
Detection(s):
SecuriteInfo.com.Trojan.Loader.846.16329.21940.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9506c5dd-ec1e-4c53-a029-c5570b9a68c7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808046
Signature
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440457 Sample: Dekont20210625_83772666552532.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 6 Dekont20210625_83772666552532.exe 1 22 2->6         started        10 jeoxtqnc.exe 18 2->10         started        13 jeoxtqnc.exe 18 2->13         started        process3 dnsIp4 22 C:\Users\user\AppData\...\jeoxtqnc.exe, PE32 6->22 dropped 24 C:\Users\user\AppData\Local\...\System.dll, PE32 6->24 dropped 42 Writes to foreign memory regions 6->42 44 Maps a DLL or memory area into another process 6->44 15 MSBuild.exe 2 6->15         started        32 192.168.2.1 unknown unknown 10->32 26 C:\Users\user\AppData\Local\...\System.dll, PE32 10->26 dropped 46 Machine Learning detection for dropped file 10->46 18 MSBuild.exe 10->18         started        28 C:\Users\user\AppData\Local\...\wuvquiucieo, DOS 13->28 dropped 30 C:\Users\user\AppData\Local\...\System.dll, PE32 13->30 dropped 20 MSBuild.exe 2 13->20         started        file5 signatures6 process7 signatures8 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->48 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->50
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 10:20:22 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imn72fqhdhdbkztjb6lc5655syknacb4ewfpvmkbqsyylactoouq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2d90d1eb72b8258b6eafa378348d531aa523e195aa33dba3365000bba8f6eeac
AgentTesla
6be400fa61cb3ea26f971bee2b41dc11761d247835f5bff2a017a78f2a6aa010
AgentTesla
7442f0a65b8a25f44b65fe4e3db9eee4a95ea2027068b4fca8760d7a6a311a98
AgentTesla
91c721be1fbcbe252218eed8b8e8b89c46f49b26def8efebf1f30aaae1055725
AgentTesla
938a1c15eab21846b96971f70eac4ef78f273adf89d6305aee7b91f5212e9013
AgentTesla
a94a6a5c3f1e54f64f9fe3b1c38989017ff1f0424d454a95d5eff09ad129ae8b
AgentTesla
b091935387e34aeb39e80d1172bd83417a3e11bb78a3d1ff2fed2151386b1cdd
AgentTesla
ce398687200202c88e5b3aba433508282e1fab09b0f456edca65418ab40684b0
AgentTesla
d175dab2b72a0e78b419dab0e514d5adc44b19e1ad11282afbd0b4eb0e9c139c
AgentTesla
fef5e611f4e7df41a0de6373c01e61810f8c8778ab47225cba04fdc7eb2641ee
AgentTesla
+ 6'123 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210625-t6wlrs9w4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/b1bdf8a3-2171-4241-a71e-4c871f6ac05b/
SH256 hash:
3e2ecce4e36edfe6f920ca3957ab71a611059843930d3131b7a6134eeb7d0544
MD5 hash:
32de91176545506041b0a21c70373dbe
SHA1 hash:
db00014e6369dcfbe896700bac71a9cf27e726b2
Link:
https://www.unpac.me/results/b1bdf8a3-2171-4241-a71e-4c871f6ac05b/
SH256 hash:
431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9
MD5 hash:
4f08087e56b8b3d5da9cb72a3883d880
SHA1 hash:
c0117c587dc77f64fd354c62a1f1d0f17857b626
Link:
https://www.unpac.me/results/b1bdf8a3-2171-4241-a71e-4c871f6ac05b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/168295/

Comments