MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61746b9dafb79e16f8596f5cc55293042ff30813eb717ce28798db708204006c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61746b9dafb79e16f8596f5cc55293042ff30813eb717ce28798db708204006c
SHA3-384 hash: 5cedb9f320dfc7d00546ad1da19940fe3c77d80905219d7d83059f1f11e435d177a3fb5c51566b5efec5eccf46293017
SHA1 hash: c4b66025585c8da199c4274f3bb25283a8a4382d
MD5 hash: 6716c70ac68517e5d32137610cbb24ee
humanhash: kitten-montana-seventeen-hot
File name:PEDIDOS RETRASADOS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'407'488 bytes
First seen:2021-07-05 12:18:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:/mS6NCOaDaDa7+3PerZn2kgUUeklc7L3ajaq:Nm4InWnbHklc7De
Threatray 6'365 similar samples on MalwareBazaar
TLSH 74559DB1A861465ADC6FCE34C3326E3C0FA77E79FD5FA6392944714B32A76830922513
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PEDIDOS RETRASADOS.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-05 12:23:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d93e7c95-b953-4fc9-be6b-2fdd605fa955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169737/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.908.17822.11644.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98db7f0e-5664-4333-89cc-1b9e46180221
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811840
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61746b9dafb79e16f8596f5cc55293042ff30813eb717ce28798db708204006c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 09:56:12 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mf2gxhnpw6pbn6czn5omkuutaqx7gcat5nyxzyuhtdnxbaqeabwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05ceea8a97719ab46d9d2c369a69c4afcc0e57321ff59b20014c11802b052958
AgentTesla
310b0037e8395eafa4f15bf3c09983052f68fa5490bb0670562f71f426002bb4
AgentTesla
4f6160e4c934ebea2ec7628b06c97b7995d0b4378f817adfadb15c90c3edb202
AgentTesla
50f90f15051f6b67b24f50b1f339e8eb40a513ce175f5ce12f6f2a7341d1785b
AgentTesla
5776326232f8948c3e3bbbbb80ff0b1f50fc12df854c6eec11af2d4a0a9666f2
AgentTesla
59d43607b1bc8864486706c222c900ed71eb5a820dfbf85b5ef060dca95db133
AgentTesla
79ebc990200b19fd71c8edfb612e35858831ca166d03ab90c5348b9124000894
AgentTesla
ba9bdabbc6426c606eb1baab65825bc5bfa98e1039fa29f0bef9b19493f79b0e
AgentTesla
f8c19b09ac1db986888e605edf365c2900b8e88112cde564ecf8fa9e279c2d7f
AgentTesla
fc166af65772a1d1402c921cd81c5711d1e49abdd78e08ecf546626974d57314
AgentTesla
+ 6'355 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210705-gjqsg62zkj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/d44243f8-eb0a-4e3a-858d-12e665aa67f9/
SH256 hash:
07b300beb30e88cc596c37b572028049ef75467065a04d9ccfdc03937bcb1954
MD5 hash:
4148be97186be0db4efbdf0903d73a5f
SHA1 hash:
979c4d21e541b4a817caf1a53405250b0fca22fa
Link:
https://www.unpac.me/results/d44243f8-eb0a-4e3a-858d-12e665aa67f9/
SH256 hash:
a66ee633114f494b1ad66c086d26068e42e2cfd67cfb58490f618946774c3450
MD5 hash:
6967bbc834e4e48ca67f7c3695e2a1f2
SHA1 hash:
1ca662578e1f9f8b16c699a229746d8c4c57157e
Link:
https://www.unpac.me/results/d44243f8-eb0a-4e3a-858d-12e665aa67f9/
SH256 hash:
61746b9dafb79e16f8596f5cc55293042ff30813eb717ce28798db708204006c
MD5 hash:
6716c70ac68517e5d32137610cbb24ee
SHA1 hash:
c4b66025585c8da199c4274f3bb25283a8a4382d
Link:
https://www.unpac.me/results/d44243f8-eb0a-4e3a-858d-12e665aa67f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/61746b9dafb79e16f8596f5cc55293042ff30813eb717ce28798db708204006c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169737/

Comments