MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4971d77281b7cf838a77d4cab1f80579732e26f24db47a8e94e883d9234c32b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	4971d77281b7cf838a77d4cab1f80579732e26f24db47a8e94e883d9234c32b1
SHA3-384 hash:	18e9b88b8aeb3f0c71ab03ec02bb7675cf109a44e32f37d7b6c38bdc8db5cbeab0e1a712924cb45321c8ba2095d2d0e1
SHA1 hash:	ab6088b1d8a369a423cea182e2939cef1b2fe6b4
MD5 hash:	2622710b6d83a3bd5ac6039c1420c520
humanhash:	uniform-summer-mars-skylark
File name:	PROFORMA INVOICE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	921'088 bytes
First seen:	2020-12-01 07:47:09 UTC
Last seen:	2020-12-01 10:14:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:kwZz2tSaOTW+PfJb61vHV15sVDST0sDdKzWr:Z8tSaWW0fJb61vHtT0AdKz
Threatray	1'613 similar samples on MalwareBazaar
TLSH	1B1527375E5419FAFC715B3CC9A02DB5669EAFB3630788DC34BA51CA076F9029DC00A9
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106172/

Detection(s):

SecuriteInfo.com.generic.ml.7143.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/551889

Signature

.NET source code contains very large array initializations

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4971d77281b7cf838a77d4cab1f80579732e26f24db47a8e94e883d9234c32b1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-01 07:47:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jfy5o4ubw7hyhctx2tfld6afpfzs4jxsjw2hvduu5cb5si2mgkyq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1bd78180b4c512ee6a22daa76e112f84048c0eecc60ca3c905072ce93578768f

AgentTesla

2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51

AgentTesla

841b06b50c50fb14aa583956475f860d25ce4180d9cd7d26090cc96cea3903eb

AgentTesla

87fde2e49507d58cdcc464c5d3e36d322c7f77a4f9e5cc0f1a46455f1a67df5c

AgentTesla

bcba47ff7460e3a03098516dcc1af9369b8fcc302fefaa07c57024830f57e93c

AgentTesla

cc2cc617d2d0f4b909be15f9720cdd9bdeade5fafe2b0c02eee852b15d33d366

AgentTesla

ecf592d2aed1d17b4c75e72a40edeb9b4396c8c9181cee7519ebe63bb7391870

AgentTesla

eed9c06050ec45f480528543bba5e3176158763beda21f62220bde77f0bdeb3e

AgentTesla

f2799f8a01bd7cff923a3b3db6d9cd361dba9187f1f076e587f2cf355dfa0eaa

AgentTesla

+ 1'603 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201201-l81cjyfqxs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

4971d77281b7cf838a77d4cab1f80579732e26f24db47a8e94e883d9234c32b1

MD5 hash:

2622710b6d83a3bd5ac6039c1420c520

SHA1 hash:

ab6088b1d8a369a423cea182e2939cef1b2fe6b4

Link:

https://www.unpac.me/results/af83decd-0f2b-4068-b1a3-2ce761d59fb9/

SH256 hash:

9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f

MD5 hash:

7476e403eef14ac403c63c7279831780

SHA1 hash:

8387f558e30dc115987ac2b5c174a41302471abf

Link:

https://www.unpac.me/results/af83decd-0f2b-4068-b1a3-2ce761d59fb9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4971d77281b7cf838a77d4cab1f80579732e26f24db47a8e94e883d9234c32b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.