MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45107c3a3f9ed2f7d5beec0ac10eacc2bf90da8ddcaf9e279337dce1b5abde0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45107c3a3f9ed2f7d5beec0ac10eacc2bf90da8ddcaf9e279337dce1b5abde0d
SHA3-384 hash: 8d6ec3ecb06e3d164205a8f45377f5f14054f3a59ab421835357ebfdcd01f152eaa5f7ebad788d5aca56c268767aa18a
SHA1 hash: e9edf8ea787340bbb02ffcee09a4b0b6797961da
MD5 hash: 72492ec8db7b64349a5e4dd496873703
humanhash: nebraska-connecticut-potato-glucose
File name:le6kLM7IigTu2Pw.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'051'648 bytes
First seen:2021-05-25 08:58:19 UTC
Last seen:2021-05-25 10:03:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:itNCyI8qKaKxi7mD1cGyhiwisbGlsc+b6y:INBI8paKxi7m+1iwiCT
Threatray 5'259 similar samples on MalwareBazaar
TLSH A925171F2E9AE159E0D8CA3D06E85427FF02CFB320396ED698C7776D16A4D01B85252F
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161795/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.19480.2599.11939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791399
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423794 Sample: le6kLM7IigTu2Pw.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 7 other signatures 2->66 7 le6kLM7IigTu2Pw.exe 7 2->7         started        11 kSrYER.exe 5 2->11         started        13 kSrYER.exe 4 2->13         started        process3 file4 40 C:\Users\user\AppData\Roaming\YvQLvAG.exe, PE32 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmp2EAB.tmp, XML 7->42 dropped 44 C:\Users\user\...\le6kLM7IigTu2Pw.exe.log, ASCII 7->44 dropped 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 7->72 15 le6kLM7IigTu2Pw.exe 2 9 7->15         started        20 schtasks.exe 1 7->20         started        74 Multi AV Scanner detection for dropped file 11->74 76 Injects a PE file into a foreign processes 11->76 22 schtasks.exe 1 11->22         started        24 kSrYER.exe 2 11->24         started        26 schtasks.exe 13->26         started        28 kSrYER.exe 13->28         started        signatures5 process6 dnsIp7 46 smtp.ojototheworld.us 15->46 48 us2.smtp.mailhostbox.com 208.91.199.223, 49744, 49745, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->48 50 192.168.2.1 unknown unknown 15->50 36 C:\Users\user\AppData\Roaming\...\kSrYER.exe, PE32 15->36 dropped 38 C:\Users\user\...\kSrYER.exe:Zone.Identifier, ASCII 15->38 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->52 54 Tries to steal Mail credentials (via file access) 15->54 56 Tries to harvest and steal ftp login credentials 15->56 58 2 other signatures 15->58 30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/45107c3a3f9ed2f7d5beec0ac10eacc2bf90da8ddcaf9e279337dce1b5abde0d/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 19:12:47 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iuihyor7t3jppvn65qfmcdvmyk7zbwun3sxz4j4tg7oodnnl3ygq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12aca308f4e8bf9d42f8f01ac64b171c5851ffc356222feaafab2a84f307de75
AgentTesla
1cb0c85a07569475b00ff82ad4b7f651c3fafaa1beaef1d4c7a86cfa56bfdb5e
AgentTesla
2a31ce352dedfe83426a33aea06b929ca39d4563434113c0ac4e2d7c1a6eaa0f
AgentTesla
70c093150fa3fde11e3929a1f232ab3a9183efc85bc324e47806eb228cd1c891
AgentTesla
82e86d82b4d3492465f83d7c46a834488b45ee7de90200c141f54bca128c508d
AgentTesla
a3d8fe6c96c7cdd697e0f0b2b151891e0082aef6c1d41b01fa7ce50e3d6d640c
AgentTesla
a644d61c1443b8355b00be70da09b63f791bd9ddfad2410648a32ff0cfe2eeab
AgentTesla
cac668b50ea54195a30a9a5bfb64ff95fcc22db46c6f3c993581911c332cfbea
AgentTesla
ebd27ef6fbbbf184d596b9fb113c92c32546abe2a379c12707691e43dfb73472
AgentTesla
fc19eafdcfe6ae03a37ac61ee6fc5fb2c1cf57172c2754dce4aefc3c8a35c976
AgentTesla
+ 5'249 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210525-jkd5h8r54e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45107c3a3f9ed2f7d5beec0ac10eacc2bf90da8ddcaf9e279337dce1b5abde0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 45107c3a3f9ed2f7d5beec0ac10eacc2bf90da8ddcaf9e279337dce1b5abde0d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/161795/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-25 08:59:00 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection