MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9
SHA3-384 hash:	67503f97af80ac04a78e87088b471228ea73cc2451810d0a816316d2239f6241ae0df4e761c172f9adcaef730382ac79
SHA1 hash:	233fe8464cc50622850a6e53e0e9a52fd0fcafe2
MD5 hash:	62d55952c66fc7afe3554ecc06dfb3b2
humanhash:	aspen-mike-charlie-avocado
File name:	29ljA5TJ1aRwW3D.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	736'256 bytes
First seen:	2020-11-06 14:03:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:Y64m2KyB6DU+OZGjovri4RR6IHqmCbuZncfYOHi7:F4mTysDU+XoFR6mCCZEYOHi
Threatray	1'003 similar samples on MalwareBazaar
TLSH	5EF4DF7263985F65E07EA7B8403194500BF2BC52AB25E60EBDE434DD35B2F469B72E03
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2020-11-06 05:41:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kfdxwasgpkvpknbdmuxnhswqd7ca7jrxevqcse5knkckbj2i3xmq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa

AgentTesla

4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3

AgentTesla

6adc726b1fed131552f57794978c3a0ea49e8f816092e106454e73539511e9e7

AgentTesla

6bc23ccd8612b26fde69c3c640beaf2b1997b5081ba210eb7b26f903c80b55da

AgentTesla

6ea11326c3a5f1868bc3e68659b48bc00a0ac1eaa5941d40c0d0c42c039aad85

AgentTesla

a02fab001fe08ddb9a1ff1113714164bfb779c3c1829e0db5de65a9174f3af7c

AgentTesla

aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb

AgentTesla

ce2c01bbc12cb5d903130e68a4e34056f292ebfdb307a185076c3e99b6f98ef3

AgentTesla

ee126cf35bbdcf2b2e8bbff8f27371910f9037799d4a3f5dbba16e5dc39797e7

AgentTesla

+ 993 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201106-fcgcp3ge1x/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

914b4776f859f01d32669aedb8e3450bd69daceedba70f4797632424dc75bdd2

MD5 hash:

6a03ad30ee0f207647f59c575c070f27

SHA1 hash:

77895100ded022a7bd89c9b22ad95a0768ffa18d

Link:

https://www.unpac.me/results/74c68c94-1b56-4b1e-ae9e-d9a3ed7b277b/

SH256 hash:

b20d842a160a121cb7dce052451ec7c9200be0577bb5dc054ba42a65bd8f3c1c

MD5 hash:

9f9b53d27267ed5f6606c16b93f5ed30

SHA1 hash:

96939a29a4ecd05c47ddf505f6a0d392e78d6256

Link:

https://www.unpac.me/results/74c68c94-1b56-4b1e-ae9e-d9a3ed7b277b/

SH256 hash:

aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb

MD5 hash:

7728c60a9a7bb60413c2b9a4f1488e12

SHA1 hash:

a12163a0714dad6adac7e928d936dd188bdbb34c

Link:

https://www.unpac.me/results/74c68c94-1b56-4b1e-ae9e-d9a3ed7b277b/

SH256 hash:

51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9

MD5 hash:

62d55952c66fc7afe3554ecc06dfb3b2

SHA1 hash:

233fe8464cc50622850a6e53e0e9a52fd0fcafe2

Link:

https://www.unpac.me/results/74c68c94-1b56-4b1e-ae9e-d9a3ed7b277b/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/74c68c94-1b56-4b1e-ae9e-d9a3ed7b277b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample