MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 535acb3441a0f17e2a2971a01fc832f397905ce43dc5f5b81556a203acd654b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 535acb3441a0f17e2a2971a01fc832f397905ce43dc5f5b81556a203acd654b2
SHA3-384 hash: 757ff288be6bfa348dfd1097141b545df174bf5d6b633de62e6be2b5d096d37768dce601ac820ed7b963187d46f37731
SHA1 hash: 3bea2ff54c5f9483e93e06d1a6b3f4ba0db3e029
MD5 hash: d87d1faa4c23aa64e915d4d4f269e105
humanhash: neptune-shade-artist-low
File name:d87d1faa4c23aa64e915d4d4f269e105.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:326'640 bytes
First seen:2021-06-07 15:13:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:S6yhpa6A2QDqRYUhLLAeY+OH/SNwPTe2rU1:xy3a6tQD2ZLHU/SabrU1
Threatray 5'678 similar samples on MalwareBazaar
TLSH EC64CFA20709C9D8F25A4B78583C9B6308663E560DD15CCD9E9DBDF43CB26EA518F03E
Reporter abuse_ch
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:Telegram FZ-LLC
Issuer:COMODO RSA Extended Validation Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-10-07T00:00:00Z
Valid to:2022-10-06T23:59:59Z
Serial number: 1f3216f428f850be2c66caa056f6d821
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e31f1b9c3ddd0edefdf96f85b8ffd1db976573bb262cc6e1154ad8fdc4d55449
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AgentTesla SMTP exfil server:
janrytwo.xyz:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d87d1faa4c23aa64e915d4d4f269e105.exe
Verdict:
No threats detected
Analysis date:
2021-06-07 15:31:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2c039b0-4572-436d-9e57-f85930553335

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165062/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.95.27466.1896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798227
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/535acb3441a0f17e2a2971a01fc832f397905ce43dc5f5b81556a203acd654b2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 09:30:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knnmwncbudyx4krjogqb7sbs6olzaxhehxc7loavk2rahlgwksza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
51d068920ee714c25ce8b122798f7492ca0d0fc4ef196040a1443aa392a1e88e
AgentTesla
87e608472d27e2577ab901b0dd1b83038bde3d6de7cc075a0d68814f848caaeb
AgentTesla
9898c37e93d4e9a054c013f34ca57c1aa9130112c9104386219f94e1125d0b97
AgentTesla
ab85d14a9e446c481821b3ec3fef2da3f3920dc3f2a143694d4f7570e688ce07
AgentTesla
acff3b5247f863e48033ccd2ee7db353f918c6362b9a5beaaac8dbf42bbde5f4
AgentTesla
b2072f0b2c243a19d26b7e007782f2e3734710c93cc9dfc285b0d5b7097ea5a0
AgentTesla
c3bf2dd2d53f2ac2dcf5e59aa8d234efdf24fb7f5eca9e2a9cb1a4536979bed4
AgentTesla
c5105375437a69ac2d05920a26fd126a75a4df6678be884a81ee8577e49ed42f
AgentTesla
d9c745aa956faf9924734fc856bc69a23820e0d76b37a75c0889bdd2e53d4415
AgentTesla
+ 5'668 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210607-7m8cs8lhxx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f2d718e40cdf5fd917cdaa95d311d9286042878ae607fe9ca7ee66b24474a82f
MD5 hash:
d763ec0591954e474d6d9e4e2913fcf9
SHA1 hash:
185bc134bcf59acbd3afcb2a2f73802919f94a1a
Link:
https://www.unpac.me/results/272cd60a-27bb-4032-a524-1b9870c65abe/
SH256 hash:
76f2712bc824a2883b2d7d9abffda926a5ba4eba4c3d02f8ff66e793057c473c
MD5 hash:
69ef3ea0ab1ef8a344ebd848a84274a4
SHA1 hash:
659a66f3ea7c5754bbd171c0c75529af512331dd
Link:
https://www.unpac.me/results/272cd60a-27bb-4032-a524-1b9870c65abe/
SH256 hash:
089bccb37032bf6b3f8434f7910d817a2cbc3dee4c79554432910c54da18a81c
MD5 hash:
c64a8bb2d771f22a1378294329c674d2
SHA1 hash:
8b994c5a27d470cd34e35187b35788606914a18e
Link:
https://www.unpac.me/results/272cd60a-27bb-4032-a524-1b9870c65abe/
SH256 hash:
535acb3441a0f17e2a2971a01fc832f397905ce43dc5f5b81556a203acd654b2
MD5 hash:
d87d1faa4c23aa64e915d4d4f269e105
SHA1 hash:
3bea2ff54c5f9483e93e06d1a6b3f4ba0db3e029
Link:
https://www.unpac.me/results/272cd60a-27bb-4032-a524-1b9870c65abe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/535acb3441a0f17e2a2971a01fc832f397905ce43dc5f5b81556a203acd654b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 535acb3441a0f17e2a2971a01fc832f397905ce43dc5f5b81556a203acd654b2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335664/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165062/

Comments