MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46fd2d00e7004568cf02ed133df56b11e403275d6a6dc7ba009f0b6b11f054bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46fd2d00e7004568cf02ed133df56b11e403275d6a6dc7ba009f0b6b11f054bd
SHA3-384 hash: 78ca092360e7d9463bb800e8e800469e6dda6f81c555bf520c31be1a88515ded87ee6dd0119232d15b73606f05e6efcd
SHA1 hash: cdbf9061207c6d6aae992b56a29904e890df1328
MD5 hash: a8024ac34d49fe9de92bb1e20bef44a3
humanhash: helium-maine-uniform-winter
File name:triage_dropped_file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:713'728 bytes
First seen:2021-09-17 12:32:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:L8zqv4p7fY9x1TmtWW6L062r3PSURK5Vv2Onzk4DbF53e0IUFLwx66QG8:LKqSY920c3PtUfbN
Threatray 9'951 similar samples on MalwareBazaar
TLSH T14CE45A103D968275E43A5F7ECAB863D5E63EBD232F31A03D1B70328606B364C899D576
dhash icon 71f0f8ccccf0f071 (12 x AgentTesla, 4 x Formbook, 4 x SnakeKeylogger)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LJUNGBY QUOTATION.doc
Verdict:
Malicious activity
Analysis date:
2021-09-13 17:46:21 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/6e18dc76-2298-4c01-a0a1-f6dd117dbffc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188696/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61752bf89a5a1e91c5d207ba/reports/6b248cf6-4e89-43f7-88f5-c47f37b5f62f/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e636b55-af34-46ee-9f6a-22f724d6da58
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852698
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46fd2d00e7004568cf02ed133df56b11e403275d6a6dc7ba009f0b6b11f054bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 15:21:00 UTC
AV detection:
14 of 25 (56.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i36s2ahhabcwrtyc5ujt35llchsagj25njw4poqat4fwwepqks6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1818edd71e01521cba21b92633ee893d42b1b6ca5776a745795d78655dd33a8d
AgentTesla
306de789cb862dffc28d6f2b9c01d7a56559ce13be20311369b27030bbc5339f
AgentTesla
30cac5dddc6d9c235c35ae552ec995845eb34d82f9fdb74af722f193d8f53fcb
AgentTesla
3fd3f37912e5aa23fceb3877d6ee43c8b102410d4fc90b147aab266972939b07
AgentTesla
67115e6158519fe2fff92209681162667a0caab50be21cf6ac673b8b827414c7
AgentTesla
8f47a284801f2fea4d4024b2f9b222e4b58538ce71a16c4bba876fd92d9e4095
AgentTesla
9b74da4636f307d83f8d087148712da7bd067b9c7bc78a8304ca59117fda3a3f
AgentTesla
b00f9dae9cce74b9c7f5b423fbcfe66e6d23db9741e172a2abdcc347ba9abd28
AgentTesla
e69bdeeafc821d1e337a126741196fce57672efe1e1992be11a6ba09a088a6f0
AgentTesla
ee7ee027752ede7e243e117a0de94fc360422b669045df92a45633545a15cd94
AgentTesla
+ 9'941 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210917-pq62hsffh8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
231bff283690c7feac02845286bad8f2156b7659d207bea969389ca9bfabe814
MD5 hash:
fb727a87b44b0b1813e63c8380d9d4ca
SHA1 hash:
f21d18fe018880576249d6a75fb4fbc994ae4125
Link:
https://www.unpac.me/results/b5e54c20-b5ae-4b9c-bcf4-3b0c9e28dc22/
SH256 hash:
6332e94dfc399f13c2fe494cb6c01c79be37ab50c70e486c854bacef22c90c0a
MD5 hash:
5f78ed395213436948de5a36e074a415
SHA1 hash:
af85f27d53b2193856a0c054e16566ff518fd1c9
Link:
https://www.unpac.me/results/b5e54c20-b5ae-4b9c-bcf4-3b0c9e28dc22/
SH256 hash:
23541341abd2ce945302f6dbec820595b4146707e48f136887150f06bf54e04f
MD5 hash:
ffe3e150171cd88fe5f1f89a82986990
SHA1 hash:
0679cc502d97ac11ef50711be570e88d94b8b163
Link:
https://www.unpac.me/results/b5e54c20-b5ae-4b9c-bcf4-3b0c9e28dc22/
SH256 hash:
46fd2d00e7004568cf02ed133df56b11e403275d6a6dc7ba009f0b6b11f054bd
MD5 hash:
a8024ac34d49fe9de92bb1e20bef44a3
SHA1 hash:
cdbf9061207c6d6aae992b56a29904e890df1328
Link:
https://www.unpac.me/results/b5e54c20-b5ae-4b9c-bcf4-3b0c9e28dc22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46fd2d00e7004568cf02ed133df56b11e403275d6a6dc7ba009f0b6b11f054bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 46fd2d00e7004568cf02ed133df56b11e403275d6a6dc7ba009f0b6b11f054bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1599300/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188696/

Comments