MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c50ec2744ea7c8c59f6334b0f2c209ddde328c86e7d64e2b2f64418003c107. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	55c50ec2744ea7c8c59f6334b0f2c209ddde328c86e7d64e2b2f64418003c107
SHA3-384 hash:	e0acc99371a0e6ee72ddb2a7c52d97e247484c750102069a35b7167436cc4b6c0074efd43c84fa145af5a24dc22e1a69
SHA1 hash:	f3182998e163976fd3e40872e8492e6fac8c303b
MD5 hash:	bd2eb29a1b212b77acadf894b6647816
humanhash:	arkansas-mars-fillet-indigo
File name:	miaka.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	312'320 bytes
First seen:	2020-11-09 14:28:40 UTC
Last seen:	2020-11-15 22:47:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:wtpJVlStW5A39kc6yK70g5Ptu9VbMJ6K0acZp:0pzAHg58Xq67PL
Threatray	460 similar samples on MalwareBazaar
TLSH	D164D0767C9258BDCA6B077550B984C1FAB927C73FA5CB0E319B830C1E01A6BAB13157
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.44412182.30553.30851.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/526451

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/55c50ec2744ea7c8c59f6334b0f2c209ddde328c86e7d64e2b2f64418003c107/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2020-11-09 02:53:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kxcq5qtuj2t4rrm7mm2lb4wcbho54mumq3t5mtrlf5sedaadyedq._file

Verdict:

unknown

AgentTesla

8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2

AgentTesla

91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18

AgentTesla

a83497c7e3335390441e23f19360eb02a9f9e0613afe56bd0743e1502e1d01df

AgentTesla

b511fbc6adf655af3e693e7a7081e62f26eacd616273f625a8e9c3568420e1fc

AgentTesla

ce0bb06540ce566b2ea9686e78418cfabd6383b9be6886c0db75cebe8ff058ea

AgentTesla

cf68e1b1e8e89cf03b0d721957c794936947c8cf5f8c30401c20e075e4b37c6e

AgentTesla

db517c67feb8b21577f90e6b2f43747b402ffe16777294814f8461eef6b53a9c

AgentTesla

f24849d70670b5448e96f02fe8bc12328bee2922be60f70ec8121531778f0d05

AgentTesla

ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630

AgentTesla

+ 450 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

agilenet spyware

Link:

https://tria.ge/reports/201109-re67lfjc92/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/798923/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample