MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 676f6881fe4c71bf5f97091fa411d7ec1689f8c40383a2ffae9f84aaae442330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 676f6881fe4c71bf5f97091fa411d7ec1689f8c40383a2ffae9f84aaae442330
SHA3-384 hash: c78cd44300dfc23b27d6d7900b00c6f7d25dd7f2fa568ba63318e87f91f2bfa2dbdb7f4ee4005cebc561a9c644f212dc
SHA1 hash: 14a6ff96de2f98b6898dd9597aee672207144da6
MD5 hash: 679e61e35641582d91f79ec97752b2a5
humanhash: nitrogen-friend-low-undress
File name:679e61e35641582d91f79ec97752b2a5
Download: download sample
Signature AgentTesla
Create hunting rule
File size:855'040 bytes
First seen:2021-07-22 12:55:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:NlEm/r3DPwSkYRyumZTCM28cn3MoYMpMPsNjLyaUVKnp:NZrzPwSnyJt6F37YMisJ+ahp
Threatray 7'214 similar samples on MalwareBazaar
TLSH T19305CF35F22B9B48DCB4C3FB181891616BB9BCE9721ACB382E44B1FC687367865D1354
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
679e61e35641582d91f79ec97752b2a5
Verdict:
Malicious activity
Analysis date:
2021-07-22 13:03:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a9028da7-f57d-474e-8c57-9ba11a1b278c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173325/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df6dd7d1-56bb-442f-9512-ebeae44d3775
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820124
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/676f6881fe4c71bf5f97091fa411d7ec1689f8c40383a2ffae9f84aaae442330/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 12:56:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5xwrap6jry36x4xbep2ieox5qlit6geaob2f75ot6ckvlseemya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2d858522bfce2071f029aa5afea4dbaea3dafbfc4ae140671ffdba3bfa5cf82e
AgentTesla
53a538f058a5304fea3000aef945a19f123e565710c91f9f506326fe65d3af45
AgentTesla
5d05226e0bd6559409b3c0e393ff6e663792d0adb27f9145500a10894e16bd36
AgentTesla
60f621808e2a3de0ba3b655874bf321da0505b147dea66aa340c8a2a126f9e23
AgentTesla
9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4
AgentTesla
a6fcdfcb4cdad7521750882e7bf53432599b58f5d5d314572750d0de2792b446
AgentTesla
b1ea67aa792591a3a7fe1e0666c1d156e33a225742e9af401d92cbc46e24ec3f
AgentTesla
b665d653fb09426fea0970e0ae8a30ed17f46f88b150b0ea4b3697455971aecb
AgentTesla
e7488c44d2b9f78f7c5e96126798220cbc3a7faf749beab4b8545207a73ce0d1
AgentTesla
+ 7'204 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210722-s4txrahby2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
7927dd66516f6473635cf14b33eeaa79ef43f5b860ce91de14be7759c53dac12
MD5 hash:
368b7f0a57495eccef6d1aa28d131616
SHA1 hash:
bf1d4e3792408884e97ce0417c300933d82a2ed4
Link:
https://www.unpac.me/results/e2790ca6-5478-4194-9076-9edb0ca1ffcf/
SH256 hash:
acf01edfa3adc09678587c1978da5909ed6a87347c9133698bb60d0a8a280cce
MD5 hash:
dd05f35e3cbbb11d0e7183e28121d42d
SHA1 hash:
93140cd3e47cb0efc1477d173c74e42162b19864
Link:
https://www.unpac.me/results/e2790ca6-5478-4194-9076-9edb0ca1ffcf/
SH256 hash:
8904575c5e25fd436eb75f1cb17512bff2790101ff061d3330b1f73e11559d91
MD5 hash:
a0097cdb049b693fd5eac5883c3bedb7
SHA1 hash:
6c23a788aff55df073362a354f8402b34abe5bd1
Link:
https://www.unpac.me/results/e2790ca6-5478-4194-9076-9edb0ca1ffcf/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/e2790ca6-5478-4194-9076-9edb0ca1ffcf/
SH256 hash:
676f6881fe4c71bf5f97091fa411d7ec1689f8c40383a2ffae9f84aaae442330
MD5 hash:
679e61e35641582d91f79ec97752b2a5
SHA1 hash:
14a6ff96de2f98b6898dd9597aee672207144da6
Link:
https://www.unpac.me/results/e2790ca6-5478-4194-9076-9edb0ca1ffcf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/676f6881fe4c71bf5f97091fa411d7ec1689f8c40383a2ffae9f84aaae442330

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 676f6881fe4c71bf5f97091fa411d7ec1689f8c40383a2ffae9f84aaae442330

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1473452/
Cape
Cape
https://www.capesandbox.com/analysis/173325/

Comments


Avatar
zbet commented on 2021-07-22 12:55:32 UTC

url : hxxp://lg-tv.tk/mazxfrnd.exe