MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49f4ae70eac01aef0ae8ae8afbdb9f22716eb796514a88549614e442aff0902f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49f4ae70eac01aef0ae8ae8afbdb9f22716eb796514a88549614e442aff0902f
SHA3-384 hash: e449d5480b0f172604b1dacb42bc3a1c6d3037063f2ecd1456e0d2b73bbdd185d8c9b65e0937fe0b0313b86cc8ef0971
SHA1 hash: 269205030bf5141d9b5ecc4b074d607a4a8d3893
MD5 hash: 62feb627bc1835ddc0713f67cd8cd5d5
humanhash: romeo-hawaii-wolfram-shade
File name:62feb627bc1835ddc0713f67cd8cd5d5.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:993'280 bytes
First seen:2021-07-16 18:53:42 UTC
Last seen:2021-07-16 19:53:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:jSIxZ0EG3KQyTs4XlhyI/vbU8lEpWlg0w0egdk3xg0YQohPGuAgzOQmPzYoW2HZT:jSpglgn01de60wggzOooDPqjtkn
Threatray 6'964 similar samples on MalwareBazaar
TLSH T177251E3E6AA42A27B777D2644681C015F8BC91DB3A395CD742C7698C350E8027EE7F2D
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Doc_347343.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-16 11:00:17 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/9854e6d0-0629-47ad-a1d2-491551bf591c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172252/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14366.1327.22468.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8b0e31a-1212-4abf-b855-0fa6751f8833
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817672
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450085 Sample: aetXvYo2Gi.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 6 other signatures 2->58 7 aetXvYo2Gi.exe 7 2->7         started        11 MLdAu.exe 5 2->11         started        14 MLdAu.exe 4 2->14         started        process3 dnsIp4 40 C:\Users\user\AppData\Roaming\BlRqbmH.exe, PE32 7->40 dropped 42 C:\Users\user\...\BlRqbmH.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp9567.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\aetXvYo2Gi.exe.log, ASCII 7->46 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 7->64 16 aetXvYo2Gi.exe 2 5 7->16         started        20 schtasks.exe 1 7->20         started        48 192.168.2.1 unknown unknown 11->48 66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 70 Injects a PE file into a foreign processes 11->70 22 schtasks.exe 1 11->22         started        24 MLdAu.exe 2 11->24         started        26 schtasks.exe 14->26         started        28 MLdAu.exe 14->28         started        file5 signatures6 process7 file8 36 C:\Users\user\AppData\Roaming\...\MLdAu.exe, PE32 16->36 dropped 38 C:\Users\user\...\MLdAu.exe:Zone.Identifier, ASCII 16->38 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->50 30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49f4ae70eac01aef0ae8ae8afbdb9f22716eb796514a88549614e442aff0902f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 12:32:56 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jh2k44hkyano6cxiv2fpxw47ejyw5n4wkffiqvewctsefl7qsaxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
188bcacd74aabebec45f6a24175295ed574de65516021c9f0739dff3e9666a6f
AgentTesla
2e6df0509187e53aabb32ef98d141b346f484f1c0ce81939778cc24ac5ec11b2
AgentTesla
4ca6a1195608a6206f231d731094ee7a6b063d6acd5350709fb6a3c74e0dd627
AgentTesla
8e633c1c72c197d17226b125498340ad7f76a03496806f2e0deb75c203083b7f
AgentTesla
a6e9b29c704be52956d000ed59a713ef42e190182debdb7019c064bec40cee59
AgentTesla
c41afa82210b89e339e33412ca6c311df5f4620f97b7930d3755db20dbfe610e
AgentTesla
e45f8186d5e8e6429af257e0d1b5a6de36cf68b4b5e8336600ca9c1736f3d8d0
AgentTesla
f773f1857eed440ae5f94c934c32bc0921621d3c34b6b347c81a6ab781463412
AgentTesla
f9923220b920910f9d01679f4eba3c4d386a3bbca566f398ba7aed6eeaa08766
AgentTesla
+ 6'954 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210716-11h3j6s5pa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/57e0f886-6475-40e4-a57c-ac8c8b1bd399/
SH256 hash:
a608a6154e0304e5d05a86a7cd7a1ce1825f82c658e1dd88f8c17d7324146ee9
MD5 hash:
906eb1842ba29ecbac1b3d7cc15813ad
SHA1 hash:
ad0fec120c2f7e5438009b610308b3a91820956c
Link:
https://www.unpac.me/results/57e0f886-6475-40e4-a57c-ac8c8b1bd399/
SH256 hash:
3c9f552765104183e47e238fdae5ff82210b46af1f9b511ee8aa9e41f19b4077
MD5 hash:
7aed072fc2b30310efc248a2bafc7dda
SHA1 hash:
9e956bce77fc925854d6800b6fb4647dfb813e26
Link:
https://www.unpac.me/results/57e0f886-6475-40e4-a57c-ac8c8b1bd399/
SH256 hash:
949914db8c24389e625eb7eb9068ec37a198290c1723a0c241333777fab6725c
MD5 hash:
99fd8c05a48821edcbbd560ec8b0de3f
SHA1 hash:
724fe160aa2c342818e598a7ba89ea31f25a3fe3
Link:
https://www.unpac.me/results/57e0f886-6475-40e4-a57c-ac8c8b1bd399/
SH256 hash:
49f4ae70eac01aef0ae8ae8afbdb9f22716eb796514a88549614e442aff0902f
MD5 hash:
62feb627bc1835ddc0713f67cd8cd5d5
SHA1 hash:
269205030bf5141d9b5ecc4b074d607a4a8d3893
Link:
https://www.unpac.me/results/57e0f886-6475-40e4-a57c-ac8c8b1bd399/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49f4ae70eac01aef0ae8ae8afbdb9f22716eb796514a88549614e442aff0902f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 49f4ae70eac01aef0ae8ae8afbdb9f22716eb796514a88549614e442aff0902f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1430278/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172252/

Comments