MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e
SHA3-384 hash:	989cb0680ddd6544c5b9eb3ec3012ff062c9b22869a36bc093b098468c70d33f0eda9990e4df8cc6b8447877b8a63180
SHA1 hash:	42795aaf2d77d7758053908f288162638b9b5efd
MD5 hash:	6c20e4b64600d5d4e57289ae5efc8317
humanhash:	wyoming-west-finch-december
File name:	AUG_Statement of Account.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'207'808 bytes
First seen:	2021-10-07 05:49:41 UTC
Last seen:	2021-10-07 11:27:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:+MUF5CTTJzqQ9xeDx7F2itLVBJuOm1CZJTqWE41Ubw:DU6TTJzdeDxvBMOm1qqNZb
Threatray	10'881 similar samples on MalwareBazaar
TLSH	T11B45D85363AC8DC4C0A792B4DFC1C4B96C19D9EE421A53B4AB12AB64F75FC031E6A473
File icon (PE):
dhash icon	80a09890f4ccbe0e (2 x AgentTesla)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AUG_Statement of Account.exe

Verdict:

Malicious activity

Analysis date:

2021-10-07 06:47:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/610d5e04-9222-44d5-8566-17f1aaf09758

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/195599/

Detection(s):

SecuriteInfo.com.generic.ml.29908.7817.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615e8a8de3d213d202b96fed/reports/a273647b-cb50-46a4-84a5-ac1e572d483e/overview

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9894127e-d04d-48a8-a6c2-7c17292259d1

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/866031

Signature

.NET source code contains very large array initializations

.NET source code contains very large strings

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-07 02:35:54 UTC

AV detection:

8 of 45 (17.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k4tpmxaeigr4ov3cm35xraydukbifxvgkrrdip67jc3pymohmv7a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

7fb990250eb44087277f87e8365a30dcdebba19c2c4c4c89287630ff329af399

AgentTesla

a67263bb6f4ffdb09b65b1f49c3467cc7ff81c9928a96c4a024b5832ffbbd1ac

AgentTesla

b6614648b9b843adc10b45bb39e064560e083d9db6a196e4dd16b845cd33ea52

AgentTesla

b9b2ce68a18db98a1253e9ece1d2d99a030be25ad433ef2dd3889cff53316d99

AgentTesla

bc85f180f9bbf93ebc17983512fc302bb71b2534aa3aae9d721c9ac252fbade9

AgentTesla

d8365313ee807a43671e695fef494aec45f0604e64718d22f9e8c230a3776562

AgentTesla

dc0cff9e3bc575333097988f46e46f1925cedf35329a749a642576601a45674c

AgentTesla

f1e7971b530395c849ca55d1e02e24b43da73ea9ec3d1f20c2afd9f06f5fe1a9

AgentTesla

+ 10'871 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/211007-gjlg8sbhb7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

d8c6736e1c70dc9ff56e40bcf5352b5d915004bb17dd770ed65dabdfc71f4d64

MD5 hash:

69f8349525db2557249c28e4f4c00f97

SHA1 hash:

fb3fee71e922aa659fd1294ba4776ba53e61c5c3

Detections:

win_cannon_auto

Link:

https://www.unpac.me/results/57f56656-adc9-4631-b6f1-e07c0a92c341/

Parent samples :

f1e7971b530395c849ca55d1e02e24b43da73ea9ec3d1f20c2afd9f06f5fe1a9
116d3acdcd11c7f527ba7f78f00eecdc470ccde2f0e2dfac43494ba3f04e6dc5
5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e
97e72fa55e850976b11fd89b2df89a0987c2b45d2da4b3f8295028b42f24540c
ffbd9f2074b2eaa45f8562aa8cef8e7e71e8302789e4c6e199b2e15b67adc3c4
f8b6cef0c8661670c5fbc1cb78c9004f51c60b10354d02e24d1e9b8ff4154bb4

SH256 hash:

43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345

MD5 hash:

f62ab5d3528d5a3b9e270ea1f9347868

SHA1 hash:

6a74e87711c615adbd9145f829a33f55b7e42dd6

Link:

https://www.unpac.me/results/57f56656-adc9-4631-b6f1-e07c0a92c341/

SH256 hash:

8559f47a2ba3fa5da7c62eeaf4823eebe089b32c2e10afe336086286568de985

MD5 hash:

e9cfa737b93d3b8ae2af9e47bd3de206

SHA1 hash:

5939f7d0e617ed560a1f3672b75b742ff9354b6a

Link:

https://www.unpac.me/results/57f56656-adc9-4631-b6f1-e07c0a92c341/

SH256 hash:

5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e

MD5 hash:

6c20e4b64600d5d4e57289ae5efc8317

SHA1 hash:

42795aaf2d77d7758053908f288162638b9b5efd

Link:

https://www.unpac.me/results/57f56656-adc9-4631-b6f1-e07c0a92c341/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5726f65c0441/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	dridex_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_cannon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 5726f65c0441a3c7576266fb788303a28282dea65462343fdf48b6fc31c7657e

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/195599/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample