MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3
SHA3-384 hash: 9f56936311e3ef0fb3be8ab76c1f976d1c9b0a64598ec8e36c4fa761843ac7f9004eb2140e1a66561aaea88fd37ca274
SHA1 hash: 7b6c16fd46a6858fcc0b8e33083e6e1c9e597bb2
MD5 hash: bddf1c87f9f063cc690ac24a4dd5b161
humanhash: asparagus-triple-emma-nebraska
File name:PO #5618896.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'184'744 bytes
First seen:2020-11-19 07:10:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:DSmtpLMyX1EqAFe1UPkLK3dPeZl5pELqaTAldM6qrwk3S+m3XuIroPuuae3vle:gOqFeqv3Rcnp4VTATort3I3XuIU3aeI
Threatray 1'384 similar samples on MalwareBazaar
TLSH E0E56B5C3C43305F798A00B056DB6AE892DA3118067127399DE764BCEA1DD6B7CEF872
Reporter cocaman
Tags:AgentTesla exe

Code Signing Certificate

Organisation:Cabbcfaebdf
Issuer:Cabbcfaebdf
Algorithm:sha256WithRSAEncryption
Valid from:Nov 19 04:32:27 2020 GMT
Valid to:Nov 19 04:32:27 2021 GMT
Serial number: 2A4E21016388AD9B9003EE2ADB079821
Thumbprint Algorithm:SHA256
Thumbprint: 29C5C0AC839820C6298F9910616B99B39EAE8993F54B12959EF63A2FCB007DC3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/542346
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320266 Sample: PO #5618896.gz.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 40 pastebin.com 2->40 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected AgentTesla 2->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->50 52 8 other signatures 2->52 8 PO #5618896.gz.exe 24 6 2->8         started        13 PO #5618896.gz.exe 2->13         started        15 PO #5618896.gz.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 42 pastebin.com 104.23.98.190, 443, 49730, 49742 CLOUDFLARENETUS United States 8->42 36 C:\Users\user\AppData\...\PO #5618896.gz.exe, PE32 8->36 dropped 38 C:\...\PO #5618896.gz.exe:Zone.Identifier, ASCII 8->38 dropped 54 Creates an undocumented autostart registry key 8->54 56 Creates autostart registry keys with suspicious names 8->56 58 Creates multiple autostart registry keys 8->58 60 2 other signatures 8->60 19 powershell.exe 8 8->19         started        21 powershell.exe 8 8->21         started        23 powershell.exe 11 8->23         started        25 4 other processes 8->25 file6 signatures7 process8 dnsIp9 28 conhost.exe 19->28         started        30 conhost.exe 21->30         started        32 conhost.exe 23->32         started        44 192.168.2.1 unknown unknown 25->44 34 conhost.exe 25->34         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 07:11:06 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgp3wfrrkxe534pkpgqw6w5ru5jk6trfx7ck27sif766i4nwzxrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
103903b8cda6c1d3d2324c704b7bcf6d1f3b5211dc871d246bbb74595f128009
AgentTesla
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
91816d916870f6e48ed8937694ab3108bfd6b57b1aef7a69dff474db7602e274
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
c2492c733ead768e887ed1ebb1d1ee48fe059bde4f4650f5674c7c66adcc0dfa
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
+ 1'374 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201119-cg52gbqkea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3
MD5 hash:
bddf1c87f9f063cc690ac24a4dd5b161
SHA1 hash:
7b6c16fd46a6858fcc0b8e33083e6e1c9e597bb2
Link:
https://www.unpac.me/results/454c696c-8f5e-43c0-af97-a560810b397b/
SH256 hash:
9087ff8d8e6a6b196cb8377f8dbe4b4e3986ad7e671935066d4bf011eb05b230
MD5 hash:
6ef909ae97c6b928ce06caf01c019a9e
SHA1 hash:
2381e34621bd4cc5aa519eb5a5730caaac8d0b89
Link:
https://www.unpac.me/results/454c696c-8f5e-43c0-af97-a560810b397b/
SH256 hash:
6b36da743413726fdac198936c552ef64d605a397c21b22d96d269f5d06cb907
MD5 hash:
3e6e7847f8c111ce563f674c81d1dce5
SHA1 hash:
c6d4c886ed3f3fcc8bf24b3dd19fba0c7c9b5989
Link:
https://www.unpac.me/results/454c696c-8f5e-43c0-af97-a560810b397b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 4a9d761102283a494ff2b7a5ba12dc0e6bfda323c7eb99de2e1770add500d4e0

AgentTesla

Executable exe 499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4a9d761102283a494ff2b7a5ba12dc0e6bfda323c7eb99de2e1770add500d4e0

Comments