MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167
SHA3-384 hash: 74345dee660e87c419e403e9d3d8787d7e79d8db580e923c4c1520cf1f9dc0368e52bbde6b42f8bb5f87a6803068102f
SHA1 hash: 1fa7ea2d0e348b7e1d79a7e6426e6f10376238e4
MD5 hash: be56d049ee926fbccec623695d12a5c6
humanhash: social-pizza-mike-delta
File name:be56d049ee926fbccec623695d12a5c6
Download: download sample
Signature AgentTesla
Create hunting rule
File size:271'485 bytes
First seen:2022-01-14 02:28:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owsJm3jpsSbMcpJxUNhZfbn5Svf7AkjdOFIP6:B3lTbvpJqNj5af7DjAFIi
Threatray 16'656 similar samples on MalwareBazaar
TLSH T1C84423967ED488EFC15B853257A3B2A6D3FA93293D91294F47600F6E29320C3CE541E7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be56d049ee926fbccec623695d12a5c6
Verdict:
Malicious activity
Analysis date:
2022-01-14 02:32:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/99a9074a-37c6-467b-b665-547a72a2600f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219204/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Moving of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e0dff71883c5ba4ec9ef69/reports/b2645ce2-ac04-4e22-82b9-9677cb8fb558/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edef7ef9-abe4-4f92-b57b-8f73d88dab03
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920520
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 20:19:42 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjrbhxwg6x34kuuxj7cnt7uvjs3qxfhqgwekurkqzvkfpcidiftq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f3c70e427d01e986b62b574353b5ae3ffae3ed52dd5fa396beede2d825467fd
AgentTesla
125456fe8027b40d44b67ae250f582c06e13e852d293738b439e5fced671b134
AgentTesla
192f1700dfb08c74e6659dc411262bd2f69b69ee72a6d1fc0d68d4b485ee95ac
AgentTesla
2c3a5672edac823cdf4801786f4d4802acdca915a8becd6b544d94c0f2024f4e
AgentTesla
466e69c68f7e24ae7a669ba9b9f70dee579d2c52d1d37aa963686576ae428431
AgentTesla
648438e57e34a1413598ee8cba3c697f183d8afa3dbf691507b3e3feb1c00fa1
AgentTesla
8ec9d184c60520182a56b81909dee589b1409da5d32962008c2134fbc735e357
AgentTesla
f7f3e9fbe1bff8f404b8b150d016d2e1757f27756b4664da9ac4dcf7e9a6a09f
AgentTesla
+ 16'646 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220114-cylpbseafp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ba259c3bf51ae2b5ceaf843dd2e5cae3865acba2f5e81115fa6d3f4bb1d3f392
MD5 hash:
24e8067b956182ddee35ab317de624c6
SHA1 hash:
37e4431822ca95fd5b26248a36c39fdf9f6b7a9d
Link:
https://www.unpac.me/results/d41d3f9a-8a7e-4c7b-aad2-3c34abe44d7d/
SH256 hash:
3c9674a7f275d386d9eafbb316ccb8ff2b1362cde1c45a53af9fd015a60a46ec
MD5 hash:
9e57e1d10dec4983207d1c0a8f6460e2
SHA1 hash:
c04baeba5133dff6fc5f4a2fdd4393e89e0fd19a
Link:
https://www.unpac.me/results/d41d3f9a-8a7e-4c7b-aad2-3c34abe44d7d/
SH256 hash:
d4aa3f3ba1abad402d6955900aa7e90955feff4d11ec1b0882d8bebb257100af
MD5 hash:
ee5a56a709bd328b3c67185e6213fe53
SHA1 hash:
c7989e6d8f40e5548007ccf1ab53ee6034f5b59b
Link:
https://www.unpac.me/results/d41d3f9a-8a7e-4c7b-aad2-3c34abe44d7d/
SH256 hash:
626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167
MD5 hash:
be56d049ee926fbccec623695d12a5c6
SHA1 hash:
1fa7ea2d0e348b7e1d79a7e6426e6f10376238e4
Link:
https://www.unpac.me/results/d41d3f9a-8a7e-4c7b-aad2-3c34abe44d7d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1975545/
Cape
Cape
https://www.capesandbox.com/analysis/219204/

Comments


Avatar
zbet commented on 2022-01-14 02:28:23 UTC

url : hxxp://rfr.lt/dhm.exe