MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d0c7314a1dae4a0bcc378f5ea1a779db24f54be030c578fb93033322f814be2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d0c7314a1dae4a0bcc378f5ea1a779db24f54be030c578fb93033322f814be2
SHA3-384 hash: ad58847533168ae65094ff6b226304b2f85a68131badd7c724a5148d1a65324b0b5900ccd8739005fbf2727755dbe3c0
SHA1 hash: 061a9117a43ef9c36a3028c85aa425ce1bbb3e9c
MD5 hash: f8fecd08c0abc7131e209205e75144f3
humanhash: bluebird-uranus-saturn-mobile
File name:SecuriteInfo.com.Trojan.Siggen12.55507.10566.29135
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'275'816 bytes
First seen:2021-03-24 22:43:59 UTC
Last seen:2021-03-29 09:55:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:phA9+xj4y44tEXPdJnwd4x2Sw6PK3rZSSTTTjxy+Z4vLLShoElY/L8ipTK+eW/Gh:cFw/d
Threatray 115 similar samples on MalwareBazaar
TLSH E716FEA1B3EA300D472976C2D2F5A1BB2FCFF4B3A47246AC18667303DB491649F85791
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen12.55507.10566.29135
Verdict:
Malicious activity
Analysis date:
2021-03-24 23:01:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc982c4c-9116-494a-9271-87936dc56108

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.55507.10566.29135.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a UDP request
Moving a recently created file
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a window
Running batch commands
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Setting a single autorun event
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653146
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 375514 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 24/03/2021 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected AgentTesla 2->67 69 3 other signatures 2->69 7 SecuriteInfo.com.Trojan.Siggen12.55507.10566.exe 3 11 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 5 other processes 2->15 process3 dnsIp4 55 C:\Windows\Resources\Themes\...\svchost.exe, PE32 7->55 dropped 57 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->57 dropped 75 Creates an autostart registry key pointing to binary in C:\Windows 7->75 77 Adds a directory exclusion to Windows Defender 7->77 79 Tries to delay execution (extensive OutputDebugStringW loop) 7->79 87 2 other signatures 7->87 18 vbc.exe 7->18         started        21 cmd.exe 7->21         started        23 powershell.exe 24 7->23         started        35 3 other processes 7->35 81 Multi AV Scanner detection for dropped file 11->81 83 Machine Learning detection for dropped file 11->83 25 powershell.exe 11->25         started        27 powershell.exe 11->27         started        29 powershell.exe 11->29         started        31 cmd.exe 11->31         started        85 Changes security center settings (notifications, updates, antivirus, firewall) 13->85 33 MpCmdRun.exe 13->33         started        59 127.0.0.1 unknown unknown 15->59 61 192.168.2.1 unknown unknown 15->61 file5 signatures6 process7 signatures8 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->73 53 2 other processes 21->53 37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 35->51         started        process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4d0c7314a1dae4a0bcc378f5ea1a779db24f54be030c578fb93033322f814be2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 22:26:58 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jughgffb3lskbpgdpd26ugtxtwze6vf6amgfpd5zgaztel4bjpra._file
Verdict:
suspicious
Similar samples:
00f3810a4b6c7f552e0bff91fe48694b7a4a7bf750fb03ea846aa3de97a41ba7
AgentTesla
2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
AgentTesla
4046dccfa2b2852d5e1330d6dcbdd1f82a484d91b629c75c50adb5d0195a90f5
AgentTesla
654c66f3e97f1f9f1164c6cc3c481273077ed1e2ab193cb2c76cc4a7b6048325
AgentTesla
7a8e27f4732de792d7904a347061efd90e892a954206adb676fe8b8a914ca3fa
AgentTesla
812a71bf7c8bec5ba792953f300d7c16f4748351b2058dfca5d38cbb1680e40b
AgentTesla
869147dc42f117713c1b9070d615deda8ff7d7baf8c5baea4ccee3c21829fa96
AgentTesla
8c38ea1b07ac6af7083834889e6c999fd84c857a767cf0928be1e7812a594849
AgentTesla
8cc2bfa5a2a451905fa3ac3e499cada8efc674eb7b8f8878458f5277970bd2e6
AgentTesla
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
AgentTesla
+ 105 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210324-wy695aqwes/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Uses the VBS compiler for execution
Windows security modification
AgentTesla Payload
AgentTesla
Windows security bypass
Unpacked files
SH256 hash:
a3ce7481b350b02e0db54913f927d29d0b0650e6ab047f6b4ccdaeb87592a944
MD5 hash:
96eaecb7cc6e0a67f8cf868386f11c99
SHA1 hash:
254c4b3067b42ff9d2347df9ebcb388bea61c3b2
Link:
https://www.unpac.me/results/74d62d1a-3c28-4526-8470-c9199b903499/
SH256 hash:
f3b88f3c8988961101ce26729bca7128004055d0db4a4e0beb99ba3604dc9acb
MD5 hash:
d6b7f7c0259f2350578d96105fc61330
SHA1 hash:
09cc065dd45832f2fc73d83c458638d04eeb015a
Link:
https://www.unpac.me/results/74d62d1a-3c28-4526-8470-c9199b903499/
SH256 hash:
4d0c7314a1dae4a0bcc378f5ea1a779db24f54be030c578fb93033322f814be2
MD5 hash:
f8fecd08c0abc7131e209205e75144f3
SHA1 hash:
061a9117a43ef9c36a3028c85aa425ce1bbb3e9c
Link:
https://www.unpac.me/results/74d62d1a-3c28-4526-8470-c9199b903499/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d0c7314a1dae4a0bcc378f5ea1a779db24f54be030c578fb93033322f814be2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments