MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4661da61c0b3120e6e6487dd9b3ebc8a6725608547bfc8bcc9bd9f2e0b777121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4661da61c0b3120e6e6487dd9b3ebc8a6725608547bfc8bcc9bd9f2e0b777121
SHA3-384 hash: 3d2d3b2e48bdce05f495bcf1df6ded9cb9af144e2ab60702907d9d1392eca5781942adf8fdf9ccadcf26ed3188a9f5b0
SHA1 hash: a0483a6150f4b4a5aea26aeeb6fa31a5247a43a5
MD5 hash: 5d6598fd63e5825b5fb685ffa6243571
humanhash: whiskey-seventeen-comet-utah
File name:RRFQTay8qI30JZl.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:630'784 bytes
First seen:2020-11-17 11:59:45 UTC
Last seen:2020-11-19 14:46:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:NuXLjbGIUt8LFt9RipYarjT1wpKzgnB51n89O7oSYOp:N0GIo8xnarSpKzgBT8kX
Threatray 1'708 similar samples on MalwareBazaar
TLSH F5D4E1793981FE8FC21B8D7685502D005EB1B8675B07E31FB8DB22DD195E78A8E00A77
Reporter JAMESWT_WT
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.jc.26841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling autorun by creating a file
Result
Verdict:
0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4661da61c0b3120e6e6487dd9b3ebc8a6725608547bfc8bcc9bd9f2e0b777121/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 09:03:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izq5uyoawmja43teq7ozwpv4rjtskyefi674rpgjxwps4c3xoeqq._file
Verdict:
unknown
Similar samples:
0c057157ad65ebd8e9fc9ace3fcd42d5692f8ba1854107bfb131595417178ebc
AgentTesla
150f883f1a99dea83e3391920107220fd9794bdaacfb7dc482b44d00e7603023
AgentTesla
2de8befd5512337e4e9c723289d086b229345708d167936e1212bcf8641f193a
AgentTesla
4574055c204f272af805107051d06291970dfa5e1f05fafd268f17b499b3ebf8
AgentTesla
91b37fab98fd83d117c89e338310c1e0e4e1496405a6b3dfe6d4852bd85d137a
AgentTesla
98fe679693d1f5a9c43102f6b95c4e85ef347e7e616fba8ec87d7c6b6beab98c
AgentTesla
c4d6d963cf7f0dc28b29315b205cfd21ee783a8fa74e391089ba5cd9937847e1
AgentTesla
cbd2c4b5531b924ae824137a1349613686aa8e9599adbfc2c1741b69c3f2ad24
AgentTesla
da4e120e4586c277edfa8a75a76f502a53c60594caee8b0bdf452220c9c61efb
AgentTesla
ed18bf204914e704fe7d77312b00b654d329666334abaf7bd3af546bad9dc4a6
AgentTesla
+ 1'698 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201117-fptgbjj4rs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
4661da61c0b3120e6e6487dd9b3ebc8a6725608547bfc8bcc9bd9f2e0b777121
MD5 hash:
5d6598fd63e5825b5fb685ffa6243571
SHA1 hash:
a0483a6150f4b4a5aea26aeeb6fa31a5247a43a5
Link:
https://www.unpac.me/results/2d29bb76-81c1-4055-a982-7c78656122c3/
SH256 hash:
468219e5fba9d57426ceb12b5d7b2def0234cabf4f4f55e302bc1e10bd1f04a5
MD5 hash:
4dac688da201cd9e864de210d09188ba
SHA1 hash:
1fa1aeacd07ff37baa4dc9871be4b992ce7ab3b4
Link:
https://www.unpac.me/results/2d29bb76-81c1-4055-a982-7c78656122c3/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/2d29bb76-81c1-4055-a982-7c78656122c3/
SH256 hash:
323f7cec745a47303129130c0b1d1ad528ea6124d3f3701249481da3143d8302
MD5 hash:
186454e598ed1f89f9dceddddd22e487
SHA1 hash:
ead6334d43549dd27347eb81ae73b19ee66c0ccc
Link:
https://www.unpac.me/results/2d29bb76-81c1-4055-a982-7c78656122c3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4661da61c0b3120e6e6487dd9b3ebc8a6725608547bfc8bcc9bd9f2e0b777121

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/825881/
  
Delivery method
Distributed via web download

Comments