MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 485e2bc6495b81a1a80138ca932975c685a89d2a4f52e2da3ddd911698a5de79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 485e2bc6495b81a1a80138ca932975c685a89d2a4f52e2da3ddd911698a5de79
SHA3-384 hash: e9401002492436c17663e60acebd9d502c9ce81a68d8b7daf324e67cf7ee6ff1460e206e08bef368c32047def9c59e37
SHA1 hash: fb6ec6922150e7cb196f3c5a6b2d1fb4d4cec415
MD5 hash: 2f59e51ff3e876fd9306652bb3b8193c
humanhash: sixteen-gee-salami-yellow
File name:2f59e51ff3e876fd9306652bb3b8193c.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:824'320 bytes
First seen:2022-01-20 19:32:34 UTC
Last seen:2022-01-21 17:10:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3giiiiE9WfXGd3334V+kNtRuJiqRhuWOY6cI6euB7cumS2zA:QxfXk3334ZrcJiqrxOVcI6VyumS8A
Threatray 14'323 similar samples on MalwareBazaar
TLSH T17D0501307FD25B49CB0E87B4987CBC218378B5972898C76F898AADDA13287D15351F27
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla FTP exfil server:
ftp.retissima.net:21

Intelligence

File Origin
# of uploads :
3
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4b0b6c420c20219a94d5893b347523068a92f0f7236c007f43abe28983c5e038.zip
Verdict:
Malicious activity
Analysis date:
2022-01-21 03:34:27 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/2cc8f05f-3eeb-480d-8e4f-1fda55869a68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221230/
Detection(s):
SecuriteInfo.com.Variant.Bulz.473852.146.7286.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed print.exe replace.exe
Link:
https://www.filescan.io/uploads/61e9b8f40f8c757253d1c9fe/reports/3dea950c-72b5-4d90-9e63-2d58a80fc2c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55769f12-c23b-4540-bfc6-950cf5775f08
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924724
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/485e2bc6495b81a1a80138ca932975c685a89d2a4f52e2da3ddd911698a5de79/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 19:33:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbpcxrsjloa2dkabhdfjgklvy2c2rhjkj5jofwr53wirngff3z4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4bc04aa1102d1ddab6de06654183987351f5215c5cf3fe6f9cb13b3efcd99656
AgentTesla
59e5cf3ac305b9551229f2f533ff4ec2176bc0ce52d9390bd82c14aee5b206e9
AgentTesla
65677020ac2854b94bab8f54ac6617eea84e0d598a7e1a463e84f7d7adcfd69a
AgentTesla
a2822ddd514c1b4e9582569c8730424d9febcf9cbcdef13e61a719a5ea6fc141
AgentTesla
bc98bced9609415a65200ba31e31dd6c30f393ca0e7e5d4f2f20b63ce3889a80
AgentTesla
c3ba8ff4689b7b8c502fb09e64f88ae3395125fe4ec6f9e0d9a6dd80b328839f
AgentTesla
ee38c337749db260f84ccad87db5245a2fae65f86d8cd57562c72081d3300f97
AgentTesla
fcad4571cf07cff71d0d37a37e96dff90d99a991597910d2222e4a7e3519a41f
AgentTesla
+ 14'313 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220120-x9sx1abcfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
26fcf784e7747ea2e6aa4e8def4b4fb0e3c2c2d7c9f5c6940271be1a8069fb48
MD5 hash:
179631f183bd40db60d97129bb0eb299
SHA1 hash:
f04c7e55799060935b4cf842d2bf2a3e491cadd6
Link:
https://www.unpac.me/results/f9088cb5-d449-45c6-b31a-9fb464827f7f/
SH256 hash:
ceecced9346065075ea7c95e6068b0bd62995408ad49cb40589fb86f5dd56c7d
MD5 hash:
d6a1cad19a55f92d2d7a6b2a44c447e2
SHA1 hash:
ccfaa0dc7d4ad0abe34c3a5b31efbacd0474fdd9
Link:
https://www.unpac.me/results/f9088cb5-d449-45c6-b31a-9fb464827f7f/
SH256 hash:
648bf891f362555448cf4a365cf6d5aa05926cb2662947cbeb40ed352ae11d78
MD5 hash:
fb078cb456c1a4c68a5a9fe4c97bce86
SHA1 hash:
cb283d2f7ef34f40acd854979520df86d00185b1
Link:
https://www.unpac.me/results/f9088cb5-d449-45c6-b31a-9fb464827f7f/
SH256 hash:
485e2bc6495b81a1a80138ca932975c685a89d2a4f52e2da3ddd911698a5de79
MD5 hash:
2f59e51ff3e876fd9306652bb3b8193c
SHA1 hash:
fb6ec6922150e7cb196f3c5a6b2d1fb4d4cec415
Link:
https://www.unpac.me/results/f9088cb5-d449-45c6-b31a-9fb464827f7f/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/485e2bc6495b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/485e2bc6495b81a1a80138ca932975c685a89d2a4f52e2da3ddd911698a5de79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 485e2bc6495b81a1a80138ca932975c685a89d2a4f52e2da3ddd911698a5de79

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/221230/
  
URLhaus
https://urlhaus.abuse.ch/url/1989711/
  
Delivery method
Distributed via web download

Comments