MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54a5fb0e74b745f705a71f8a0627043125c983b56b685fbb7036877cb424fa66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54a5fb0e74b745f705a71f8a0627043125c983b56b685fbb7036877cb424fa66
SHA3-384 hash: e170c1445e7764f7920422ff763a28c88d9467f6e22c0f8caec7df13710c25f62f9b999c7d5fb46f00d03ea8688cf5a6
SHA1 hash: 19c345fb85877be3adcdc014ca62f7da56cb9920
MD5 hash: ee63641e45cd39a27512828a6d5de7b3
humanhash: lake-cat-eleven-pluto
File name:ee63641e45cd39a27512828a6d5de7b3
Download: download sample
Signature AgentTesla
Create hunting rule
File size:685'056 bytes
First seen:2021-09-22 13:25:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:bSlmtiK5oBP5NhGUPGUmCQdv5aKPQaHz7VQPvOJbEojcuxR+haSz8NWGDJ9d0muF:e+FoBPrwzakz7emZEg7tWK
Threatray 10'132 similar samples on MalwareBazaar
TLSH T11CE4012D7690B6AFC913CA7699B82D50FB21F06BA60BD3037453119C6E4E6CBDE114F2
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER.doc
Verdict:
Malicious activity
Analysis date:
2021-09-22 12:01:18 UTC
Tags:
exploit CVE-2017-11882 loader keylogger stealer agenttesla
Link:
https://app.any.run/tasks/0d220f99-f9e6-4415-a280-fc0d4dc82e9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190288/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07b9b596-9313-4527-ab7e-18686c34e2eb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855698
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488133 Sample: F2YjL5926V Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Antivirus detection for dropped file 2->61 63 9 other signatures 2->63 7 F2YjL5926V.exe 7 2->7         started        11 newapp.exe 5 2->11         started        14 newapp.exe 4 2->14         started        process3 dnsIp4 43 C:\Users\user\AppData\...\jstShOHQeEox.exe, PE32 7->43 dropped 45 C:\Users\...\jstShOHQeEox.exe:Zone.Identifier, ASCII 7->45 dropped 47 C:\Users\user\AppData\Local\...\tmpCA92.tmp, XML 7->47 dropped 49 C:\Users\user\AppData\...\F2YjL5926V.exe.log, ASCII 7->49 dropped 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 7->77 16 F2YjL5926V.exe 2 5 7->16         started        21 schtasks.exe 1 7->21         started        55 192.168.2.1 unknown unknown 11->55 79 Antivirus detection for dropped file 11->79 81 Multi AV Scanner detection for dropped file 11->81 83 Machine Learning detection for dropped file 11->83 23 schtasks.exe 1 11->23         started        25 newapp.exe 2 11->25         started        27 newapp.exe 11->27         started        85 Injects a PE file into a foreign processes 14->85 29 schtasks.exe 14->29         started        31 newapp.exe 14->31         started        file5 signatures6 process7 dnsIp8 51 jtinti.com 67.20.76.217, 49810, 587 UNIFIEDLAYER-AS-1US United States 16->51 53 mail.jtinti.com 16->53 39 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->39 dropped 41 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 16->41 dropped 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->65 67 Moves itself to temp directory 16->67 69 Tries to steal Mail credentials (via file access) 16->69 71 3 other signatures 16->71 33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 29->37         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54a5fb0e74b745f705a71f8a0627043125c983b56b685fbb7036877cb424fa66/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 13:25:28 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kss7wdtuw5c7obnhd6famjyeges4ta5vnnuf7o3qg2dxznbe7jta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20930a912e8c5fc24f604f9605a234e5c2b887d1c1351c1c03cebc199a88e089
AgentTesla
4168cb7280d51dff7f076d035d5233f5008af3ea643b8ceb89ccb9db1f9b601b
AgentTesla
49c52b95a4e8fb4790b5549c90a4f2bb7895693b1054d82074d66ca8fc5f8162
AgentTesla
867f65eceabe8913a49b397bc8c874dc42b6b76608cd5fe0e2c9b3ac2f165bd4
AgentTesla
c0db21bc0fb6b3181eb72e8077903c47346540a79a36fc69640fa47fac62e657
AgentTesla
d3684f72802847a5b483195c93901318220f9eb288105bf725924d83d436d0f3
AgentTesla
dd89bc056a16b90aaede8e70eede3d8b5523bccc86e8a0a6709ea91b99a7a2cd
AgentTesla
f077eba249e41b618f2beca6307585844eada56f528de4fa2468dce43a81fbda
AgentTesla
fa88b1167480e75e92229ac8be14090eb7bcd0c0e675343c9a0c27e15b58d3de
AgentTesla
+ 10'122 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210922-qnz1vsfddm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
3e16ceabedaee3460d74406389a5774d38c1a5d61368136b511e49735310ef7d
MD5 hash:
ac5391b3242cf06b760717967687880f
SHA1 hash:
c4cb205be01777c047fd93df1f68b9726191b56e
Link:
https://www.unpac.me/results/5f7dc4f7-db23-4a38-a03f-ebde4f1b85a0/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/5f7dc4f7-db23-4a38-a03f-ebde4f1b85a0/
SH256 hash:
7b9a9baf753f175fdeb0705e949ca05bf683d8b0266e16de00b715be50f967ca
MD5 hash:
aa830688c37158b8857570baa2697ffe
SHA1 hash:
8271a89ee9b13d2ca7012b2d4b73eb222f866667
Link:
https://www.unpac.me/results/5f7dc4f7-db23-4a38-a03f-ebde4f1b85a0/
SH256 hash:
e835378ca804fbf8747f5426878a2ae7b52c9abdfe5f4c394b637bf9b14864d0
MD5 hash:
bd2f03703ade632f29864c3b264fcb98
SHA1 hash:
2ec317672d7db784496f9a7cdab8ec376c3eb463
Link:
https://www.unpac.me/results/5f7dc4f7-db23-4a38-a03f-ebde4f1b85a0/
SH256 hash:
54a5fb0e74b745f705a71f8a0627043125c983b56b685fbb7036877cb424fa66
MD5 hash:
ee63641e45cd39a27512828a6d5de7b3
SHA1 hash:
19c345fb85877be3adcdc014ca62f7da56cb9920
Link:
https://www.unpac.me/results/5f7dc4f7-db23-4a38-a03f-ebde4f1b85a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54a5fb0e74b745f705a71f8a0627043125c983b56b685fbb7036877cb424fa66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 54a5fb0e74b745f705a71f8a0627043125c983b56b685fbb7036877cb424fa66

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1639334/
Cape
Cape
https://www.capesandbox.com/analysis/190288/

Comments


Avatar
zbet commented on 2021-09-22 13:25:08 UTC

url : hxxp://xleetaz.xyz/stockers/okito.exe