MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48adb19935018cc99f101e73a3a530d9e48279916ac38073f30ffbebbaba47f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48adb19935018cc99f101e73a3a530d9e48279916ac38073f30ffbebbaba47f3
SHA3-384 hash: 5f4716a49bc9167d2bcd582e209243c175e4eb4735b9fdab9d11c0ae4cb71c7de695bc3b02223d4248a1c5486fc265d3
SHA1 hash: 4842ed34ca416e45ae9d52948217cfd85ab7e60d
MD5 hash: c4bf27cc9f4e48d9a0719d235f25485f
humanhash: romeo-august-steak-hamper
File name:PO-#5166 Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:680'448 bytes
First seen:2020-11-24 16:15:19 UTC
Last seen:2020-11-30 15:06:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a60d416706dea7b1fd543d9a115ddddc (1 x AgentTesla, 1 x Loki)
ssdeep 12288:CtdgQ0i0uEazZIHQ0AQeOAObBuA/EfR/47sHm9awYnIH:CtyQ0i7sVAvIzEfR/4Am9MnI
Threatray 1'538 similar samples on MalwareBazaar
TLSH 4FE4AD03B5CC54F0F06F42B60C95F72C2A7A7D614A664DAB2EC9F949163109262F3E7E
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Unauthorized injection to a recently created process
Creating a window
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546205
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48adb19935018cc99f101e73a3a530d9e48279916ac38073f30ffbebbaba47f3/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 05:58:42 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcw3dgjvaggmthyqdzz2hjjq3hsie6mrnlbya47tb756xov2i7zq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
09039ff8c6c08c31f158428d4f78123e5afc57f0751ab877d84011897c512f1d
AgentTesla
388f6ec7d202b0121c356c6590826ce2528579f005c81e95c925eae161c8ee6c
AgentTesla
5b5dc3238b5c70ae42e90e4428fe493eec98be9a4bb82bf23248f6d9e24da2fe
AgentTesla
62875bbcc1ccebc66490cf8aa7781b959500dec28eee481312a1da08872eb465
AgentTesla
8057851cf4105478c20392952836523bcea180de7ed78247c46fea0f5c9127dc
AgentTesla
8e6eaa63e1369a27a263e6c57e6183631c9cbfed993cfc9c77ae3b3a57e32e73
AgentTesla
e5662c40e472ff15127b5466170ee7e235daab610c4a897a3ecffc50fa716c14
AgentTesla
f550b174528b14a38ed8725fc03cf092de3e976a4287874c4fd5eb7fad33312f
AgentTesla
fa7fc5885d44b9be6615f4a1c22cdeb6930ef0a477cda1c7a6fdc48b296426f4
AgentTesla
+ 1'528 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201124-lj2w7sy8ta/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
48adb19935018cc99f101e73a3a530d9e48279916ac38073f30ffbebbaba47f3
MD5 hash:
c4bf27cc9f4e48d9a0719d235f25485f
SHA1 hash:
4842ed34ca416e45ae9d52948217cfd85ab7e60d
Link:
https://www.unpac.me/results/8856ca5c-27b0-458a-b59b-62456a6e627b/
SH256 hash:
f0d8c444326246b844e175a72c71181c8f1be64c0b973478c158e57c21e1f1cf
MD5 hash:
0c719561d01aef2ccc63d4c0191b4c19
SHA1 hash:
19c39e8f9b475beced7b7a827911da21b8a6e044
Link:
https://www.unpac.me/results/8856ca5c-27b0-458a-b59b-62456a6e627b/
SH256 hash:
b2347147b2afdedcd89e0d199873cd8feb3731a9cafcda6bc9a2e9a3b79d825a
MD5 hash:
7fa6eae668cfa1ea4501865d7849dbbf
SHA1 hash:
a10fdf535845fe5f0487060fff2fc909d7628256
Link:
https://www.unpac.me/results/8856ca5c-27b0-458a-b59b-62456a6e627b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48adb19935018cc99f101e73a3a530d9e48279916ac38073f30ffbebbaba47f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments