MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 602e84be6f659949013ff4acc034dc0808912e1582a2741b55a6406b919446e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 602e84be6f659949013ff4acc034dc0808912e1582a2741b55a6406b919446e7
SHA3-384 hash: 310e5fcf05f3895b0fa488644639114563de4651ab44e3fc57b838a79e4798643b859decd8c191279ff0c3cc296d6983
SHA1 hash: 1c2508c0aeb46cca094bd072fd5f137bd4795686
MD5 hash: e38c19075b263d583cfd967a1681dc87
humanhash: pennsylvania-fish-victor-london
File name:e38c19075b263d583cfd967a1681dc87.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:851'456 bytes
First seen:2021-10-07 16:40:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:7+9P6UqT4Ldkg1TWvnhEmkZnwT7+oobzf7x9YqMIn17kpmt/dFSvNU2WCHITC4:7tUta0+kZC74f7LYJM9dAC2WMIp
Threatray 10'969 similar samples on MalwareBazaar
TLSH T1B3050E5363AC8ED4C06792B4DFC0C4B96C19D9EE421A53B4AB12AB60F75FC035E6A473
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-07 16:06:52 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/9ab44806-e665-44ad-8570-6770742ce87d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195920/
Detection(s):
SecuriteInfo.com.Variant.Strictor.256637.18899.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615f231fe3d213d202ba2094/reports/816b8100-6b76-457c-9138-938a78b3c786/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ed55dad-f0bc-46fe-a9c2-a7479e2e1b89
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866580
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 499007 Sample: tyJemy11KT.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 29 us2.smtp.mailhostbox.com 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 5 other signatures 2->37 8 tyJemy11KT.exe 6 2->8         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\lPkFRxLIXjIF.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\Local\...\tmp29A5.tmp, XML 8->25 dropped 27 C:\Users\user\AppData\...\tyJemy11KT.exe.log, ASCII 8->27 dropped 39 Uses schtasks.exe or at.exe to add and modify task schedules 8->39 41 Writes to foreign memory regions 8->41 43 Injects a PE file into a foreign processes 8->43 12 MSBuild.exe 2 8->12         started        15 MSBuild.exe 8->15         started        17 schtasks.exe 1 8->17         started        19 MSBuild.exe 8->19         started        signatures6 process7 signatures8 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->45 47 Tries to steal Mail credentials (via file access) 12->47 49 Tries to harvest and steal ftp login credentials 12->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->53 21 conhost.exe 17->21         started        process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/602e84be6f659949013ff4acc034dc0808912e1582a2741b55a6406b919446e7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 13:30:41 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=maxijptpmwmusaj76swmang4baejclqvqkrhig2vuzagxemui3tq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0386844556308a5b8685ab0b26428ceb087f1d1233a6be0d43499020d03f6398
AgentTesla
20649a9922f5fbcc070cf6d8455621b0891217ce1167f89c23ab6964abb90aaa
AgentTesla
31f153b1270cc3279425f4aa1d576dc02142d2008afdf5b7fd21f74431bb6473
AgentTesla
39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa
AgentTesla
7a388ead62a8f818b36c9c9a1938c2172c4fa05edfc71307980131c53c69d054
AgentTesla
7dbdfe2fc6efd3197ed404f6de2fba3612c65115375ab0c3409ead24ab4877cb
AgentTesla
909fbce815ea71ef959b37bb5dc6c18eaea743019b66fae2af196473cffb17b1
AgentTesla
966f5fda32ac9ad436cdeb47d024fb831705d8e14fa83ee74a48483260871ec2
AgentTesla
c7b83926e22a35fba8ce3258d678a475f3f4d94ee49da18f3b630bddd95707d5
AgentTesla
cac57f9210fa4d8fb970249750db6886d99f31e503cdeb6e4641bf1c0055afe7
AgentTesla
+ 10'959 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211007-t64njschfq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
73aaf2f00c9710b347e9543b9e469a1954fb83704d24f9863da56a9563f42630
MD5 hash:
18fa3762332f490560709504b3d5e811
SHA1 hash:
8af4c3d0eb5ba9dbf31d7af11cd49e446b85388c
Link:
https://www.unpac.me/results/f3f65c31-bc40-4510-96c9-1066a9f10a5f/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/f3f65c31-bc40-4510-96c9-1066a9f10a5f/
SH256 hash:
6022811351831eb74da0ab598627135d66ff3012045aa70cbd9731b7610c9e84
MD5 hash:
e055b74ec4f59147e5bb0de387211ab4
SHA1 hash:
4aa8a79780d511c1c3e61df77e1a220a1b374455
Link:
https://www.unpac.me/results/f3f65c31-bc40-4510-96c9-1066a9f10a5f/
SH256 hash:
602e84be6f659949013ff4acc034dc0808912e1582a2741b55a6406b919446e7
MD5 hash:
e38c19075b263d583cfd967a1681dc87
SHA1 hash:
1c2508c0aeb46cca094bd072fd5f137bd4795686
Link:
https://www.unpac.me/results/f3f65c31-bc40-4510-96c9-1066a9f10a5f/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/602e84be6f65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/602e84be6f659949013ff4acc034dc0808912e1582a2741b55a6406b919446e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 602e84be6f659949013ff4acc034dc0808912e1582a2741b55a6406b919446e7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/195920/
  
URLhaus
https://urlhaus.abuse.ch/url/1659890/
  
Delivery method
Distributed via web download

Comments