MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a3479c05afb8620c7e078f550e924d29058c0c14010296f735ac19df393b713. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	5a3479c05afb8620c7e078f550e924d29058c0c14010296f735ac19df393b713
SHA3-384 hash:	fb70da8d195a36ce1a287fb6012f8583b7fba3a96300deb5c37481d2e37b4c39396e0cd6158871c211bc7f6d0cdfabad
SHA1 hash:	99e67c22eb50e800bef719152edcdd358c4d0dc9
MD5 hash:	75c5c3a4a631bd4a8ca1f3b01b959a10
humanhash:	spaghetti-uncle-three-pluto
File name:	order 20210407DTR001.IMG.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	31'744 bytes
First seen:	2021-04-21 14:42:31 UTC
Last seen:	2021-04-23 15:55:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:Vtt9KFyEm50EjaBYP9rFUEQ3cvA201+9fCanJjEjxGflkGflF:Vtkm5xjaBe7Q3ZpMIKjB
Threatray	4'143 similar samples on MalwareBazaar
TLSH	40E272D26A8446E6D25CF27682DB991423F0E0F7A7329F1FAA8933535C033521FD961B
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/142194/

Detection(s):

SecuriteInfo.com.Trojan.DownloaderNET.160.12756.26015.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Unauthorized injection to a recently created process

Adding an access-denied ACE

Creating a window

Using the Windows Management Instrumentation requests

Sending a UDP request

DNS request

Creating a file

Running batch commands

Creating a process with a hidden window

Sending an HTTP GET request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/691175

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a3479c05afb8620c7e078f550e924d29058c0c14010296f735ac19df393b713/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-21 07:15:06 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=li2htqc27odcbr7apd2vb2je2kifrqgbiaics33tllaz344tw4jq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1d380dfada55e561b147894bc58c64b6d7f14e44cfd069df0d15dcb2533e4880

AgentTesla

2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12

AgentTesla

4b19e25b2907338e5919fb760324260035c71761de65fc94e8aaf74ed1154d6b

AgentTesla

51af0a175f8c7ef9d3e6b06b54ed1c8b4175f21ebac90816c6c36fd0e62ef654

AgentTesla

542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def

AgentTesla

8a0d96c6ab22bc62611c7cad581ca536d766063570117e0ddb1747828b5afc96

AgentTesla

c27ee7916b7471bc3bf38a4ce92bb3075972ec46814f3ca0d71dbe24dc495e7d

AgentTesla

cbf9d4ef21092210f58ad0cbdd4753dbbf785387dd8f3001014672679196c65c

AgentTesla

d5fa02045d60d623dacb74b1a719e571982f6a68ea7781c06f8d0ce104b98bd6

AgentTesla

+ 4'133 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210421-mw7dy2sec2/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/5a3479c05afb8620c7e078f550e924d29058c0c14010296f735ac19df393b713

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time