MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45fde804068d4fdd834fbabc35029ee0d8e427b7e5e32b4fd62cd17fee36b8de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45fde804068d4fdd834fbabc35029ee0d8e427b7e5e32b4fd62cd17fee36b8de
SHA3-384 hash: 8f9069e2f6d0ca77f978fea8095132df743c3d777322d76fd4a7c2967d43ce971e38f84696ea7fc0a8c05d2707784a44
SHA1 hash: bfbc64ee6a0fe1d0e6a2701292a11bb8e9110d27
MD5 hash: f493f20d27aa4269b09b0a3881ecaac0
humanhash: fourteen-march-solar-vegan
File name:Updated Invoice{swift..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:8'192 bytes
First seen:2021-01-25 06:17:28 UTC
Last seen:2021-02-17 13:53:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 192:Fc/p/1JbMCGJG4fN5RM+MYjDR17TV37X:1E4VXM+MYjDRR1T
Threatray 2'270 similar samples on MalwareBazaar
TLSH D5F1C528F38C9F23E87DB7386653190933B782D72B678B225F9D8AE5644248A0D1D785
Reporter cocaman
Tags:AgentTesla exe SWIFT

Intelligence

File Origin
# of uploads :
4
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114593/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.37393.6912.20904.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Sending an HTTP GET request to an infection source
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/589208
Signature
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/45fde804068d4fdd834fbabc35029ee0d8e427b7e5e32b4fd62cd17fee36b8de/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ix66qbagrvh53a2pxk6dkau64dmoij5x4xrswt6wftix73rwxdpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b277825df78139d46171f324c582866a81252fdaec3c8912fee41fb6f6172e2
AgentTesla
139e0682e4985353d6d73c2c0c8a0982a06a6f8758edb5b7f949282b5cbbd63a
AgentTesla
1438338262db388d53a3618eacfe7ace5f6c1884bd4465b3a1bf548c5cdb42e5
AgentTesla
27645f1d148b659a43b23aff406fd0a354c0f4c5ad89eadc475cc5b58244c83b
AgentTesla
56d7482385631eaa41a5fe4b5bb2d7284cfe1035805512668b9495d0fd9c4a61
AgentTesla
5cfd185a582c4a6811966fb1585769fa8c17d67a969c72e1135f8de537d106d4
AgentTesla
852b82a6008df4460984881ca504c037e53f76ba11d4503f04312ed8f88fae12
AgentTesla
a12f642139a7cfe0891e40b83400cae049a06c959f742700d47f096ccaa32736
AgentTesla
bda798b8e628a9b364450614d203b2d1540155c102eddc36ad8a6ebfba18aca8
AgentTesla
e75f2e899377c5313dd3cee3ed9d8ac7e84267656656c5b9eaaee23ec50b5ab8
AgentTesla
+ 2'260 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210125-a7jfhcfwte/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
45fde804068d4fdd834fbabc35029ee0d8e427b7e5e32b4fd62cd17fee36b8de
MD5 hash:
f493f20d27aa4269b09b0a3881ecaac0
SHA1 hash:
bfbc64ee6a0fe1d0e6a2701292a11bb8e9110d27
Link:
https://www.unpac.me/results/cef2f68f-4a34-4571-873b-9bbafdd04162/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/45fde804068d4fdd834fbabc35029ee0d8e427b7e5e32b4fd62cd17fee36b8de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 3423bbc688888ed028f30def5a9815d686adba42002f156ae2a181d04f3a9d55

AgentTesla

Executable exe 45fde804068d4fdd834fbabc35029ee0d8e427b7e5e32b4fd62cd17fee36b8de

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3423bbc688888ed028f30def5a9815d686adba42002f156ae2a181d04f3a9d55
Cape
Cape
https://www.capesandbox.com/analysis/114593/

Comments