MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61af4f86908d3b0248cb2a618596cda0f082dec547943d6a197e93d7d3b01c89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61af4f86908d3b0248cb2a618596cda0f082dec547943d6a197e93d7d3b01c89
SHA3-384 hash: b0fceef849857d7a303f27aa8d3f28fbb0eede951c557d17cb74d715cb442490b88289b8dfd6d02ed76bef1ea68af57c
SHA1 hash: 8de2af4b5dcf4dabd7a0f3fe8351dd1ab2a1e6a7
MD5 hash: b08591a1566d6b5b35cabb130c6fb633
humanhash: cat-queen-victor-stream
File name:4HM8RWr7kwn51TF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:738'304 bytes
First seen:2021-08-31 18:16:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:J5EDaxEo1s0lcAxcl9AongOjCUum2XFV:jEmj1QP9AonEme
Threatray 9'250 similar samples on MalwareBazaar
TLSH T105F42C7F19BDA2278175C6F58BE38827F0108B6F3110696476D347264322A7AB5F336E
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4HM8RWr7kwn51TF.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-31 10:11:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8762630-8c11-4137-bc58-5708bc175897

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184283/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.53008.12838.31149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdabcbf9-bafb-48fc-aa7c-62a75a5a549f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842893
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61af4f86908d3b0248cb2a618596cda0f082dec547943d6a197e93d7d3b01c89/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 10:38:40 UTC
AV detection:
6 of 34 (17.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgxu7buqru5qesglfjqylfwnudyifxwfi6kd22qzp2j5pu5qdseq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b4d3e69b4e2e533522d48f27a0137e34b92b01e36d348c12f0df4371ed7d573
AgentTesla
80a5971229dd01d3b78272dae553361c8f9d875b8e274ddbd00753c0e50dd65e
AgentTesla
b196d74012b2af1b9e67fc11dd4b85d3010bc7ef892c7232fa9228bb0d38972c
AgentTesla
b265897f9d97d7c1d2ee2533e216946dd241bff6644b38ba8928db6e1ddf1b63
AgentTesla
b87496adef518762cc306678879a6388e4dd08a86f1c7c55ac3ddedd65e19267
AgentTesla
c85ab5bd7344f3677a769235b13aa14bd7b0d93a61684266abf6596243f9728d
AgentTesla
e71703a89fb65868f5daf7517bdd13d16ad09fc7f9a7b3bf4a65fa67844c4b1b
AgentTesla
fab0db0c780f0c6699b1acd564580dded6fb1857c61093d732da3bde480cd655
AgentTesla
+ 9'240 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210831-fs32lkqpha/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
758763d712c27c53a8b85de07582c9a250638b557e8dcfbae7c278f810241ac1
MD5 hash:
8b7d29dc138f646510a835ffc76e6796
SHA1 hash:
bff289517dc53acc9e172e3445fc87d82f8ee351
Link:
https://www.unpac.me/results/44b3dde2-b4e1-4d98-8827-932202f3219e/
SH256 hash:
763fe93912efa74d402e44b2fb08c4dd062dc2619d3bd25494dfd5b1c710511d
MD5 hash:
3d1cf289681ab9c851e4590a266b62b3
SHA1 hash:
73363646559080eff48d2c5199747f5bb9403059
Link:
https://www.unpac.me/results/44b3dde2-b4e1-4d98-8827-932202f3219e/
SH256 hash:
925dcfb7a5630a6fc678073fb59e8072133fae3e9c4f80ee88b4427b35622b60
MD5 hash:
e1b12c74788ecb485a282fc5806cfdd3
SHA1 hash:
104c7a15c51cc3cf93c9cba3130a7c123ffde476
Link:
https://www.unpac.me/results/44b3dde2-b4e1-4d98-8827-932202f3219e/
SH256 hash:
61af4f86908d3b0248cb2a618596cda0f082dec547943d6a197e93d7d3b01c89
MD5 hash:
b08591a1566d6b5b35cabb130c6fb633
SHA1 hash:
8de2af4b5dcf4dabd7a0f3fe8351dd1ab2a1e6a7
Link:
https://www.unpac.me/results/44b3dde2-b4e1-4d98-8827-932202f3219e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61af4f86908d3b0248cb2a618596cda0f082dec547943d6a197e93d7d3b01c89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184283/

Comments