MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 706ee0328206b320eff5db5ae7a712703738f1235259b702562d72293964f0cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	706ee0328206b320eff5db5ae7a712703738f1235259b702562d72293964f0cb
SHA3-384 hash:	efe8050becb350328f830d8aab7985eee6e82ea4cc2bf99cef03b87d713b2f6026d8e55ab2aba390c69ba9452593a797
SHA1 hash:	280a0c5398c2f751098a8fa335f8695cf8acdd1d
MD5 hash:	6deead5051fc67c530ee030edf9c97f3
humanhash:	tennessee-river-india-fish
File name:	ASR1117.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	777'728 bytes
First seen:	2020-11-17 14:43:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:WtE4Y/pLoqmxX+2hpyoG6bjnylRis4e8qplt6qtBQuPDJr1PLf9NK3b:8NYRLkO2hpyo1+lRi5Pqpl4qbQu7Jr1a
Threatray	1'438 similar samples on MalwareBazaar
TLSH	A7F4E03A3739EF66D17D877B84408541A3F9ED128733CA6A3CF4F2A91A50FA0653614B
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20201117-1209.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/706ee0328206b320eff5db5ae7a712703738f1235259b702562d72293964f0cb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-17 05:37:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=obxoamuca2zsb37v3nnopjysoa3tr4jdkjm3oaswfvzcsole6dfq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

19006e1934a36332207bb746cdfad53e5264682ed947d4f6c99debecefe12f99

AgentTesla

2693356eb785b39160f0dd89c916020ab5ae032faaa931b30c393e93da2740e4

AgentTesla

2ff93944081c104e8175f5209255c50e92d65f8a3e35fbf01c5f6f46237575af

AgentTesla

8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f

AgentTesla

97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a

AgentTesla

a02efa762378167db2eff5f91d7c194603291d4193ce4085b6d4ecfcd73f10ea

AgentTesla

abf3d62c029da4a935ffde31a6559242200cc0b0483c0b552e714d54170407a6

AgentTesla

c7c371104c985df2506b6f9b0e4133e61c96e45d9f96a9961369d52e9f9f972b

AgentTesla

fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1

AgentTesla

+ 1'428 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201117-mwmwqjga3e/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

706ee0328206b320eff5db5ae7a712703738f1235259b702562d72293964f0cb

MD5 hash:

6deead5051fc67c530ee030edf9c97f3

SHA1 hash:

280a0c5398c2f751098a8fa335f8695cf8acdd1d

Link:

https://www.unpac.me/results/631a9eb3-1d69-4eaa-a98b-7092b71d38a5/

SH256 hash:

c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b

MD5 hash:

b5358f677850210361f573c7d249c258

SHA1 hash:

215e06e319515d779efa88f7c05b343d6ec3f6a5

Link:

https://www.unpac.me/results/631a9eb3-1d69-4eaa-a98b-7092b71d38a5/

SH256 hash:

0bf1b1a9fb7066e06388b0d2cfac4b724bb97ab08ca4e851c39246fe1b383a89

MD5 hash:

42b3c220b79430fce64a5b1e792abf21

SHA1 hash:

45fc2b7227c22e9faa1cf3b7d7cfc20b87ca87e5

Link:

https://www.unpac.me/results/631a9eb3-1d69-4eaa-a98b-7092b71d38a5/

SH256 hash:

c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0

MD5 hash:

47509d9db24c975e55c287afdc459fad

SHA1 hash:

4f1f893555c985d7cbba731cf1fdbf49c6ecf793

Link:

https://www.unpac.me/results/631a9eb3-1d69-4eaa-a98b-7092b71d38a5/

SH256 hash:

165cdb0d2558306adbc169a7551bcf4c80688a0e052dc9adb896f35da27e4cdd

MD5 hash:

17c01f9f9a6708b3553adb304ff0e4e2

SHA1 hash:

d700c3749855cea9449a2469b3c5952e2ed9c461

Link:

https://www.unpac.me/results/631a9eb3-1d69-4eaa-a98b-7092b71d38a5/

SH256 hash:

d02d2ba85e55494972f2a00827e7ed049faf02f0b61136ea86644f9765bcc449

MD5 hash:

777b6633ffda1cec2a01f460cbcd4261

SHA1 hash:

d9f0388377899ac498fd52a7b9f5139e61cbfce9

Link:

https://www.unpac.me/results/631a9eb3-1d69-4eaa-a98b-7092b71d38a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/706ee0328206b320eff5db5ae7a712703738f1235259b702562d72293964f0cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample