MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f
SHA3-384 hash: 9362dc0f83c16edee432926951cf410bc9c1c9bbd6cf481f53be5302c8b222b1d4e163d9f76b8a1b6a01d8f53f78842c
SHA1 hash: b8a9c7b99ccffbc8b1905d58fb27efe5b1f7bd4d
MD5 hash: 8fd66b905336c204a24de3e7273fb835
humanhash: burger-north-kentucky-wolfram
File name:Enq No 34 22-01-2021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:15'360 bytes
First seen:2021-01-22 09:19:18 UTC
Last seen:2021-01-22 11:06:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 192:BhCDawozRlAg5ed581e9fzK9KUITM76Tou63MPXE7XTbB+Z6Jw6TIG4Dr:b3PF+P581e9f+2TM76TouQMPwHFJw6T
Threatray 2'246 similar samples on MalwareBazaar
TLSH 0E62C716374ADE83E16A9B3C3207613B137616C7376F8B60E89113529CA7AC45F62F83
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Enq No 34 22-01-2021.exe
Verdict:
Malicious activity
Analysis date:
2021-01-22 09:22:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e371e089-b056-466f-a5f1-27b0055311bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113479/
Detection(s):
SecuriteInfo.com.Artemis8FD66B905336.29714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request to an infection source
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/588142
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343095 Sample: Enq No 34 22-01-2021.exe Startdate: 22/01/2021 Architecture: WINDOWS Score: 100 51 mail.privateemail.com 2->51 61 Multi AV Scanner detection for dropped file 2->61 63 Sigma detected: Powershell adding suspicious path to exclusion list 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 12 other signatures 2->67 8 Enq No 34 22-01-2021.exe 24 6 2->8         started        13 Enq No 34 22-01-2021.exe 2->13         started        15 Enq No 34 22-01-2021.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 53 193.239.147.103, 49714, 49724, 49730 DEDIPATH-LLCUS Brunei Darussalam 8->53 55 pastebin.com 104.23.99.190, 443, 49720, 49736 CLOUDFLARENETUS United States 8->55 47 C:\Users\user\...nq No 34 22-01-2021.exe, PE32 8->47 dropped 49 Enq No 34 22-01-2021.exe:Zone.Identifier, ASCII 8->49 dropped 69 Creates an undocumented autostart registry key 8->69 71 Creates autostart registry keys with suspicious names 8->71 73 Creates multiple autostart registry keys 8->73 19 powershell.exe 22 8->19         started        21 powershell.exe 19 8->21         started        23 powershell.exe 14 8->23         started        33 7 other processes 8->33 57 pastebin.com 13->57 75 Adds a directory exclusion to Windows Defender 13->75 77 Hides threads from debuggers 13->77 79 Injects a PE file into a foreign processes 13->79 25 powershell.exe 13->25         started        27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        31 powershell.exe 15->31         started        59 104.23.98.190, 443, 49738 CLOUDFLARENETUS United States 17->59 file6 81 Connects to a pastebin service (likely for C&C) 57->81 signatures7 process8 process9 35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 33->45         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-22 07:08:32 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nh2bahtd7x66yss3n7cko6dbtju7suiuc3ozb7u56m2qf74ntvhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
5defd50046db301c82c85cc8306960982f576cbf5446f24062cc570dcf0becec
AgentTesla
6810cc6edb1ced93f416b478d0d793b3a01bcfd37d8927388fd55ec2b1086e29
AgentTesla
6b4736cadf2ab0f4477b857257ec184758cd846ebae168b2ccc4af62e6871835
AgentTesla
6cec4d45ec32bf036c8b5a513e029a5012c799e16acef1481e41822ba20dce8a
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
b2a96d57f2421ebdc9fdf4813b413e1d2f84277b5dab59cccc52224094ff5ae4
AgentTesla
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
AgentTesla
e8f40ad1b59a06f7e29b6626a46fd7d0023c3d82ba75dff99bd8e9a5d8ee054a
AgentTesla
+ 2'236 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210122-p8dykxs8sx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f
MD5 hash:
8fd66b905336c204a24de3e7273fb835
SHA1 hash:
b8a9c7b99ccffbc8b1905d58fb27efe5b1f7bd4d
Link:
https://www.unpac.me/results/cc476e80-7f91-4f6a-bbb9-56b6c16e912f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fb512dbf9cf74ade32a477ffc64a84c6601af206568042c6132207b8ffa53f3a

AgentTesla

Executable exe 69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f

(this sample)

  
Dropped by
MD5 90496bcaceed96dab394f11b54376261
  
Dropped by
SHA256 fb512dbf9cf74ade32a477ffc64a84c6601af206568042c6132207b8ffa53f3a
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113479/

Comments