MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 653c67c3dca6e1d5f831cfcbd04487f21b68fd4b395e645b891ea887f52da698. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	653c67c3dca6e1d5f831cfcbd04487f21b68fd4b395e645b891ea887f52da698
SHA3-384 hash:	76c6c8bea54a00632949c4f8f539a0d327687795a5f2f4fd915ab9048e0986ab27e4864deb940d09ac11043bc3376765
SHA1 hash:	4d558769a478f79e7cc1c6e237404dde3333f6b3
MD5 hash:	38b07132d6a8350a2a526685729b3082
humanhash:	princess-connecticut-nitrogen-hot
File name:	184285013-044310-sanlccjavap0003-7069_pdf (2).exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'111'040 bytes
First seen:	2021-08-04 11:53:52 UTC
Last seen:	2021-08-04 13:04:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:Qo2A4dTBtgfM39E9OCmCI1vxx/NJKao7:vb0BufMNAmtpvJKl7
Threatray	7'820 similar samples on MalwareBazaar
TLSH	T10A358C2229EA508DF3B25FB20FD4F8BE4A6AED73561970B934C11F4397329828D51736
dhash icon	e869d4f0f0f0f070 (12 x AgentTesla, 7 x SnakeKeylogger, 6 x Formbook)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

184285013-044310-sanlccjavap0003-7069_pdf (2).exe

Verdict:

Suspicious activity

Analysis date:

2021-08-04 11:55:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a0c3e625-beab-4f89-b3b5-c841ee673194

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176306/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.981.14482.2179.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/245038ad-6b8f-4893-8d2f-eee1fc831d5b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/826805

Signature

Antivirus detection for URL or domain

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/653c67c3dca6e1d5f831cfcbd04487f21b68fd4b395e645b891ea887f52da698/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-04 11:54:06 UTC

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mu6gpq64u3q5l6brz7f5areh6inwr7klhfpgiw4jd2uip5jnu2ma._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3dbbcbaa8f24ba2b41235d0247a4ddcc08b08a753b2e61399f8e6000459eda89

AgentTesla

8a4534e0f4a997c47122a1f3f689ec22234099b2807711d925727895bdc4d554

AgentTesla

8f6b4fb55d85a992dbcd03955041bad5d18ae8632369e9c540d742bb7b773b8e

AgentTesla

aeed73e5120096ad1249a051ea5feaba3f322313a797ec9aed8bec4273a9f345

AgentTesla

f5a708e70c598445c6cbb793093e8b2cdf9b9342619c2248f38f9fe3fa019da1

AgentTesla

fc5ed0a66d1dc9b980a9c09c563979d48c840963569ccb81eb5972beed07c2b8

AgentTesla

+ 7'810 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210804-h3twrzd262/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1

MD5 hash:

c273f926e2a29bd62cc8f27b569a0b2a

SHA1 hash:

e08d302cab3e11d776599a6b0537207fce6f9c51

Link:

https://www.unpac.me/results/bb9d3d9a-9711-4765-9ee0-755c7e66c711/

SH256 hash:

5720eb8bd6755d190f62c55c40202562bcdefdf9c7d0244a2328cdd5db1057b7

MD5 hash:

d4b50808eb31e43ae0f8e8f865bc2862

SHA1 hash:

d74ac4205778160427b25dc9048f3371dc8188fc

Link:

https://www.unpac.me/results/bb9d3d9a-9711-4765-9ee0-755c7e66c711/

SH256 hash:

3bbbb29ac56d10307e9db141c522be3c2554e98e35fbabd5334d706c0e2e3422

MD5 hash:

7ca8efcfc692508701f1e4e65127d9c4

SHA1 hash:

aaacd78fcf63baff62da34144fc959613ef4721b

Link:

https://www.unpac.me/results/bb9d3d9a-9711-4765-9ee0-755c7e66c711/

SH256 hash:

653c67c3dca6e1d5f831cfcbd04487f21b68fd4b395e645b891ea887f52da698

MD5 hash:

38b07132d6a8350a2a526685729b3082

SHA1 hash:

4d558769a478f79e7cc1c6e237404dde3333f6b3

Link:

https://www.unpac.me/results/bb9d3d9a-9711-4765-9ee0-755c7e66c711/

Malware family:

Mal/Generic-S

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/653c67c3dca6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/653c67c3dca6e1d5f831cfcbd04487f21b68fd4b395e645b891ea887f52da698

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/176306/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample