MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 623894a29a9de26e5040d4b120510ce5558631676f3d6a07365137840baf830d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 623894a29a9de26e5040d4b120510ce5558631676f3d6a07365137840baf830d
SHA3-384 hash: b30932d1435c3022373f320f21d847e7fc4173566d95fd705fd4bfe2fe20a281b63023c85b6d41a3247d0ac527e9b606
SHA1 hash: 36fc8d41bc5b5e80d1ebaba2a823df98eb16ed94
MD5 hash: f9f5c5b93b3968a86c04ec0ced5b474b
humanhash: uniform-victor-robert-zebra
File name:документ_000288378_09_13_21.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:950'784 bytes
First seen:2021-09-13 09:51:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JMAG6mbLrnVdooQC7uCQ6mdrC1lmCQlu+pao2MXMaeKy:KJvLrnVdonC7nQ3drC1x0padkMae
Threatray 10'083 similar samples on MalwareBazaar
TLSH T16415DB38ED0B21B7EBAAD334E4BA190AA5F414BB33309D5EC592774D190760374DA3AD
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
документ_000288378_09_13_21.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-13 09:55:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7733dd48-3ebd-4ba2-89ec-9640bc7025f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.16569.25482.13965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6174ffd3db358dd15ed918f4/reports/c4613efb-7dbf-49a4-ae69-fc19ed069518/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2eef513d-6904-4405-9460-c4a932fabcaa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849677
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/623894a29a9de26e5040d4b120510ce5558631676f3d6a07365137840baf830d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 09:14:01 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mi4jjiu2txrg4uca2sysauim4vkymmlhn46wubzwke3yic5pqmgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
121b6dad90e595649055bbf49c7908ec6158b6f276c51e03a1f3492335ec6b43
AgentTesla
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
91a6b9986b0bdab99c2cb9329096ae0290a54dd44091ca76212ee0cd18bfc93f
AgentTesla
96b50e311c59c1c2729d49e9d1425a9840265e2e897b444c9540eb900ab3bce3
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
f3e6dcfd4b79c28078de10a6e14385b58a69b73b79986cef7000e88501b7d3ae
AgentTesla
faa5023447bfa3319ef4bade70a720dc8c101eec8a86bf499e8677a20c2fd475
AgentTesla
+ 10'073 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210913-lv3m4sddf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
3fbd42d7aa2aa8ec0bdca30c9a87fe3690d510b9ae8c1906ba71555b6df7472e
MD5 hash:
04a2dc2c9155b90cd78f6e0edf5ac3e9
SHA1 hash:
ae49bb32a3c039d761a5f5a988b287137688d3d3
Link:
https://www.unpac.me/results/4e2ea4b5-a5f9-4db8-bc46-63172eed36e2/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/4e2ea4b5-a5f9-4db8-bc46-63172eed36e2/
SH256 hash:
61fc22be5c4dd126f9ca8e688b0d4ad794bfc51b5bcb881c3e45e0c17159220e
MD5 hash:
e3b9528654b15fb386343b992a051262
SHA1 hash:
33ae869983c485b603a04da9762a4745d56dc9b9
Link:
https://www.unpac.me/results/4e2ea4b5-a5f9-4db8-bc46-63172eed36e2/
SH256 hash:
623894a29a9de26e5040d4b120510ce5558631676f3d6a07365137840baf830d
MD5 hash:
f9f5c5b93b3968a86c04ec0ced5b474b
SHA1 hash:
36fc8d41bc5b5e80d1ebaba2a823df98eb16ed94
Link:
https://www.unpac.me/results/4e2ea4b5-a5f9-4db8-bc46-63172eed36e2/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/623894a29a9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/623894a29a9de26e5040d4b120510ce5558631676f3d6a07365137840baf830d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 623894a29a9de26e5040d4b120510ce5558631676f3d6a07365137840baf830d

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment

Comments