MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65af202accc3cbb6d7a94526ac904ec78697de220f5219d724c7e578d8ecc1a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	65af202accc3cbb6d7a94526ac904ec78697de220f5219d724c7e578d8ecc1a7
SHA3-384 hash:	3cdd3635d26d908fc4c525e5f46ec99adcdb5afacbce152735736797b619412ea26810b7af1bb58976a110213fe03678
SHA1 hash:	46fdf88d5f110519a8e24864e38525e3c31ad472
MD5 hash:	cb7b6f3db6647ecf2c799d5725b43f48
humanhash:	potato-oscar-low-connecticut
File name:	Payment details.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	175'616 bytes
First seen:	2021-09-06 13:48:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fa91405d30e4548924d9a2da4a39197c (3 x AgentTesla, 1 x SnakeKeylogger, 1 x Formbook)
ssdeep	768:ioDGKVBA5iZ8ATge2VvInNiK0xxHe3h1k:io5y5OhFN0A1k
Threatray	9'566 similar samples on MalwareBazaar
TLSH	T13E04539F213C0401C00277756D59BA9CCAFD5BD08A6B4CDE96E195BDDEE022DFC0D8AA
dhash icon	f0d4a6745298d8f0 (1 x AgentTesla)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment details.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-06 13:49:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/688c808a-1c51-4e4f-bb35-85f5d1d779c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/185684/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Launching a process

Sending a UDP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8119d0e9-922f-4c51-8600-4a168b0f29a5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/846031

Signature

Antivirus / Scanner detection for submitted sample

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/65af202accc3cbb6d7a94526ac904ec78697de220f5219d724c7e578d8ecc1a7/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-06 08:15:54 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mwxsakwmypf3nv5jiutkzecoy6djpxrcb5jbtvzey7sxrwhmygtq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

31ab2bfd738bd5e28af20fbf5833b7173fffa70ffe4453a6710f73999c9516b4

AgentTesla

3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed

AgentTesla

76f10c642d9be6759a4a1b94cba83708597d60a9a7dbb05bd8db971e75545d06

AgentTesla

b528aab1cf14c985fecd7f6f2fd0a31101cd952abedbd10cf7357708057d91b9

AgentTesla

b5648af3a78134f62d9385b8cb2408f155f7c253f515f08143ff19ed74992fcc

AgentTesla

+ 9'556 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210906-q4nyjabbf7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1891294793:AAGob71b-OUpFy1t0VNgmPVDUmP0xgoRdbw/sendDocument

Unpacked files

SH256 hash:

65af202accc3cbb6d7a94526ac904ec78697de220f5219d724c7e578d8ecc1a7

MD5 hash:

cb7b6f3db6647ecf2c799d5725b43f48

SHA1 hash:

46fdf88d5f110519a8e24864e38525e3c31ad472

Link:

https://www.unpac.me/results/469fa2e5-de48-4e99-911e-fe1bee01a3e2/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/65af202accc3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/65af202accc3cbb6d7a94526ac904ec78697de220f5219d724c7e578d8ecc1a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185684/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample