MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44a9a751fc33e5c475a197c4e2b94e40f8cd794d642f6f9e94d07fd33b5875c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44a9a751fc33e5c475a197c4e2b94e40f8cd794d642f6f9e94d07fd33b5875c4
SHA3-384 hash: d7d50c64c48dd5b80b50dc4c82dcca4600a42b56d4821a441f46b623f8547eeb8182654d8582420edfe2923d4d6e7a59
SHA1 hash: 8d192d538c60d3242921205b4df8fe8f62267ced
MD5 hash: d73b30b3a72b1f0be3e4abadcb3e920a
humanhash: william-spring-robin-edward
File name:d73b30b3a72b1f0be3e4abadcb3e920a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:391'680 bytes
First seen:2020-08-17 19:13:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:XGgluBdvk26j6NpQnPrVJbbRTo4ViPHPSNtAJ69bUUchIi0Y58Ev6G4:v9opQnPrVhC4VASIJ00Ii0YSn
Threatray 9'737 similar samples on MalwareBazaar
TLSH 6084185D2B84FE02F23D5A36C5D0562247B1D0835912D30F6EC45FEEFE4A7C9790A2AA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
terminal6.veeblehosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47342/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/434757
Signature
Found malware configuration
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/44a9a751fc33e5c475a197c4e2b94e40f8cd794d642f6f9e94d07fd33b5875c4/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 03:09:26 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=isu2oup4gps4i5nbs7cofokoid4m26knmqxw7huu2b75go2yoxca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
058edd37e76814c72e3b158791ec7ce2313550521bd522dba07d6c21903aee7b
AgentTesla
0ca1f0a08b7a21079683beeaf8bfa86df3d396b8d7a0cade52e963b78bd9a7e3
AgentTesla
117ef07f45b0916e5d43168f52a5efbb756947d6aadd3389293adba4309ddc89
AgentTesla
254920e6788f4cb4975f08c5deef07e932f4a370a38c5197d7a4fb7846ea63ae
AgentTesla
2d37d614507a6d513d85edfa6c65a721b44740b1480b34df76f5debd64bbd73c
AgentTesla
52a5b10358396169aa44cb5959f68b2cdcfb9473596b2d8a8c5118066d4d9b29
AgentTesla
602539024550629c94790807ab0f6b99379a53767b14375963e64b71a2185408
AgentTesla
8a463f15c830e566292963bf3473b16288e71350e97d84359499fd33b7329a66
AgentTesla
9011468f8a2d455ad6446b9f8e277db5b7daf0becf65644ad12b94bcad401380
AgentTesla
b250144e3bf196501c5064576d34ff66398323d7862e957f359a263d7a0c3636
AgentTesla
+ 9'727 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200817-ll4hjx9ane/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44a9a751fc33e5c475a197c4e2b94e40f8cd794d642f6f9e94d07fd33b5875c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 44a9a751fc33e5c475a197c4e2b94e40f8cd794d642f6f9e94d07fd33b5875c4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/47342/
  
URLhaus
https://urlhaus.abuse.ch/url/434492/
  
Delivery method
Distributed via web download

Comments