MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc
SHA3-384 hash: d659010a3458eb03c641f6ce64e07d2b37ee2b5f13d1ee9f2e2b4780e8263b86a94c6ba810894ef4697311cc7568f0d5
SHA1 hash: ec9bad3fe35f25be002005011bbec029af4db4dd
MD5 hash: b420cd9c5eefe5c4b1a80958476ceef2
humanhash: dakota-pennsylvania-illinois-jig
File name:b420cd9c5eefe5c4b1a80958476ceef2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:909'824 bytes
First seen:2022-02-08 08:19:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:1x57XCkfrx+nYdx6BsfSzOIHPOG9+G1cPAoThlfRIbGtYJD1vLz/7CWV0PATpS9b:tX+Ydx61/P19+LhlfRyXjf4uNcb
TLSH T18A15D0AC719179EEC41BCD7699687C60E63030B783CBC207922716889E9EA97DF144F7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla FTP exfil server:
nanyainc.cf:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237850/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Creating a window
Creating a file
Sending a custom TCP request
Creating a file in the Program Files subdirectories
DNS request
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6351/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
neshta overlay packed shell32.dll virus winlock
Link:
https://www.filescan.io/uploads/620227b9c79b424d7207cb49/reports/ec206cc0-04f4-4766-93eb-197748b6d21e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a479188-14c1-49e4-a602-bddfc71ec4a4
Result
Threat name:
AgentTesla Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935927
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 08:20:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oebxokg5z2q3bffuxrepvevsucev6ae7c7qosnkkhxc7wadx5c6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:neshta keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220208-j8fdmaehe4/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc
MD5 hash:
b420cd9c5eefe5c4b1a80958476ceef2
SHA1 hash:
ec9bad3fe35f25be002005011bbec029af4db4dd
Link:
https://www.unpac.me/results/53d4fde6-173d-433a-9b09-b9f7fc7275d8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/237850/
  
URLhaus
https://urlhaus.abuse.ch/url/2034727/
  
Delivery method
Distributed via web download

Comments