MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70674069969b2ce934604004d648a59e7d5460589f6415f93ad5a070fb8e7910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70674069969b2ce934604004d648a59e7d5460589f6415f93ad5a070fb8e7910
SHA3-384 hash: 35bda784a077dff32af7610ead282298f3181a837bec1a318f9fc23511612cc520e58f8fd616267c5b06999d0e57ab86
SHA1 hash: 3fbabdf2ea3dfa583cbefa5f250f8048f0d28750
MD5 hash: 4d502f30155e5f6215ed32de99c4ca14
humanhash: winner-quebec-apart-cat
File name:SecuriteInfo.com.Trojan.PackedNET.783.17547.17190
Download: download sample
Signature AgentTesla
Create hunting rule
File size:219'280 bytes
First seen:2021-05-31 15:41:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:bhha12pxv5LCb5mIaHwEQ7XorTyEffT72BqQdseKvxzIO0iyTwRQhW/pW/y0:jp55LJQEQoTyEfHhSwzH0y3EL
Threatray 5'455 similar samples on MalwareBazaar
TLSH FB2401046A04E322D9919DBEECD2C2F62EB2CD41AF9A8C1754413FEF36733864F65949
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.783.17547.17190
Verdict:
No threats detected
Analysis date:
2021-05-31 15:44:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e891c73-0852-4d91-b58a-41750eef1da1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163540/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.783.17547.17190.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794815
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/70674069969b2ce934604004d648a59e7d5460589f6415f93ad5a070fb8e7910/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 09:40:37 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=obtua2mwtmwosndaiacnmsfftz6viycyt5sbl6j22wqhb64opeia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967
AgentTesla
1c4cbe5a3adfa0a596eabff32c6a43fe2f5fc2be1dcf71bddbd0c1200d7451a8
AgentTesla
5ab6b8512421b5961edd36b0d3c1e26c21224052de74611e3f801db830653317
AgentTesla
989f330817cadbe60308cdd0977792aa3ee8fd2f55b2e92ed32d2416de16c32d
AgentTesla
ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8
AgentTesla
b5aeb6d277320df561d9bb77a95e976c5527c17441292ec7b5bafc441fe746d0
AgentTesla
b96e5b8548a31fc43385a31b1c23a9ad95440309ccc6baa10dced1833e118d5e
AgentTesla
bf411b461237ce0b5f1cf021af00bf94c0f31a8aac095c9d36581c5095fcc2a7
AgentTesla
d65fa2504374d19e221d6631799f41426450d650355098be07f7cfa667d80bf9
AgentTesla
ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b
AgentTesla
+ 5'445 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210531-ec3vadpe42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70674069969b2ce934604004d648a59e7d5460589f6415f93ad5a070fb8e7910

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 70674069969b2ce934604004d648a59e7d5460589f6415f93ad5a070fb8e7910

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1307254/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/163540/

Comments