MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66f2b1d1272f9b583c34e679fea26640af4e19d4c49d5aa1e7da9f7bc52aafb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	66f2b1d1272f9b583c34e679fea26640af4e19d4c49d5aa1e7da9f7bc52aafb9
SHA3-384 hash:	0e116e917fc2d7e043ec466891327dfb0b1644fa4251a281be39a466893afa4f52e250b97a7474e675b59d8bab0a42c6
SHA1 hash:	828d15be8024a3e476bc64b236ce782602ff8a7d
MD5 hash:	6210fdc6bbde4a9aa9e802b64fdf1977
humanhash:	enemy-victor-missouri-cardinal
File name:	Order# MY98350062JL.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	735'232 bytes
First seen:	2021-06-24 06:19:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:J0N6YzwHmUpxxV5nNj75ECk4iAxiX1FiaPAP3ozQ6ydgW1MSF:JDhHTlbnNj75R2AgFgaPAAzbyF
Threatray	6'085 similar samples on MalwareBazaar
TLSH	AAF4D02427ED9319F1B7BF7859E460869BFAB6236316D51D2CD203C64633E40CED1A3A
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order# MY98350062JL.exe

Verdict:

Malicious activity

Analysis date:

2021-06-24 06:24:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f4ef81de-5c4c-4f9e-900b-e24c97f07945

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/167852/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader39.59262.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f16f4f59-f583-4642-8db2-3408e75b7594

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/807180

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/66f2b1d1272f9b583c34e679fea26640af4e19d4c49d5aa1e7da9f7bc52aafb9/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-24 02:43:09 UTC

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m3zldujhf6nvqpbu4z475itgicxu4gouysovviph3kpxxrjkv64q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1d380dfada55e561b147894bc58c64b6d7f14e44cfd069df0d15dcb2533e4880

AgentTesla

6f871f3642191d04e4fe20f022f738d89b3ad90b531cef6adde91d10f257431d

AgentTesla

7fb4a26d9f2c3a08c69d7f5838b7f88d8c6f31ab2aa69b130b150449baaea7ad

AgentTesla

8a0d96c6ab22bc62611c7cad581ca536d766063570117e0ddb1747828b5afc96

AgentTesla

8c9a601f38c17856c34d8a311c6ae80c7a2038e42c554da0ae0a0555b2f5f285

AgentTesla

8cbaa0221d3658609df1abe44ce74ad245ad609277fc1efb2625536995ca1eb5

AgentTesla

b28a86d010b9e52bf00698dbef0d9daeaccc4c67ae772d83bead4541d2feed7b

AgentTesla

d0007554d6a69e8fb61427be8c85c9f38ffa00ab668b0bc83894995f25089350

AgentTesla

dfd6646d16dce4899cf47affa2d22b58ad515146ba71f3583a8f1d0c9cca4cc5

AgentTesla

+ 6'075 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210624-zpyzce2v4n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

1eaeb446335b86a4bc2455f996d16c0ae611612a32d5a21a70fe6905c7f5ed20

MD5 hash:

01dabb03082965f344ee47fef81960d3

SHA1 hash:

bcb7e4517530e5bc33662cb785a21945ed68f58e

Link:

https://www.unpac.me/results/6ff3d35e-e23d-4585-be88-b99e5f5de690/

SH256 hash:

50d1c6af779aa92a8b90590cacc6dfcbff92293c12869bf3fb022c1bfaf43cb8

MD5 hash:

825082cffb92ab27d7f1049ba4764068

SHA1 hash:

9e38692d1f90018deb6128ca6ff1605179c1e28f

Link:

https://www.unpac.me/results/6ff3d35e-e23d-4585-be88-b99e5f5de690/

SH256 hash:

30a7637036cdd68cc4959ef419d0671ce89b866e5750d2bcc0d37aec309382c6

MD5 hash:

91062c6fe67d0dd1577f5c8b64b5445e

SHA1 hash:

61afec2fe2163fbb86210ba955bc5f30e99d8c2d

Link:

https://www.unpac.me/results/6ff3d35e-e23d-4585-be88-b99e5f5de690/

SH256 hash:

66f2b1d1272f9b583c34e679fea26640af4e19d4c49d5aa1e7da9f7bc52aafb9

MD5 hash:

6210fdc6bbde4a9aa9e802b64fdf1977

SHA1 hash:

828d15be8024a3e476bc64b236ce782602ff8a7d

Link:

https://www.unpac.me/results/6ff3d35e-e23d-4585-be88-b99e5f5de690/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66f2b1d1272f9b583c34e679fea26640af4e19d4c49d5aa1e7da9f7bc52aafb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 66f2b1d1272f9b583c34e679fea26640af4e19d4c49d5aa1e7da9f7bc52aafb9

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/167852/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample