MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e447b594351ff66f5cb60ee2d83a7358aee2b9d31c9310c61b0d9f81683914b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	4e447b594351ff66f5cb60ee2d83a7358aee2b9d31c9310c61b0d9f81683914b
SHA3-384 hash:	3430d67fba395ef1ab178ff2afaeaacf50a8613baebd0a185e92144eb18c2fab937f642652d0de9891b7fea4c7cbdb98
SHA1 hash:	d8ad182e60fa8db12a401075cf24579f6cd492f5
MD5 hash:	e8d0fcbebd1d4280fead1408bec487d4
humanhash:	oklahoma-mirror-blossom-salami
File name:	SecuriteInfo.com.Trojan.Win32.Save.a.21280.451
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	541'953 bytes
First seen:	2021-08-19 13:00:26 UTC
Last seen:	2021-08-20 04:16:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4f489b335db6d5ec89d1f80710469941 (2 x Formbook, 2 x Loki, 1 x AZORult)
ssdeep	12288:LwtkuQDuu9aPDmOY1WDEiz1UJkdQKC8dGJ2ahXLRYXYvm1wKlAAVnmGmLWUdB7qX:LwtkuQDOEiz1YkdQ4dGJ2ahXLRYXYvmP
Threatray	8'601 similar samples on MalwareBazaar
TLSH	T156B4C010BA80C037C676383187B5E5B24E6EAC302D25DE9B67D839756F30691E635B2F
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180685/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.21280.451.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Sending a UDP request

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f4d5af42-ce2f-4705-b385-6064b3ed6574

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/835792

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4e447b594351ff66f5cb60ee2d83a7358aee2b9d31c9310c61b0d9f81683914b/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-19 11:48:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jzchwwkdkh7wn5olmdxc3a5hgwfo4k45ghetcddbwdm7qfudsffq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

35fe897b8b1d0328d99b94ec0e22de210bc3f0564a8e34a438f313fc202db999

AgentTesla

4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3

AgentTesla

74c2f8176fadf84bb04083901d52033b0975245676b45cd8607d80bebc91e570

AgentTesla

b045b7b993b005e1930ca50a9eb65df8b62ca29d1dfdbbb28ca6621384172908

AgentTesla

c21d2f1d2c5dad844ee2c789b2a424f0808e9eaf4edbf4319dca34531aacbe2c

AgentTesla

c5727c6dd2a88adab36de5bb5967e52fa898497d1604f5987308e33069872bd6

AgentTesla

d2566bc7abe2eb0b168c9a951d8fb545bb156beeeeb04dec7ccecd6a647a3c75

AgentTesla

e12243e5bae35e437f9e88665c52d3b5086cc5dab0eb5c682132a288625b023d

AgentTesla

+ 8'591 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210819-5jbmkyfy32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

ba0c1261818728b33fad2a37c3768477a58b8b82e97e59dc99893a441dbcdfae

MD5 hash:

86ae1407af6e5bab5cce7f012f791417

SHA1 hash:

ec18fd15ab2cebb19c09635839bb57d03b06319d

Link:

https://www.unpac.me/results/aa9fd557-e525-4ff0-ae9b-7d07226f4760/

SH256 hash:

4e447b594351ff66f5cb60ee2d83a7358aee2b9d31c9310c61b0d9f81683914b

MD5 hash:

e8d0fcbebd1d4280fead1408bec487d4

SHA1 hash:

d8ad182e60fa8db12a401075cf24579f6cd492f5

Link:

https://www.unpac.me/results/aa9fd557-e525-4ff0-ae9b-7d07226f4760/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e447b594351ff66f5cb60ee2d83a7358aee2b9d31c9310c61b0d9f81683914b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/180685/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample