MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 729edfd38b623e9201ecfa5bea1baf1d260f9f03fe8267e628ec2e91d1162bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 729edfd38b623e9201ecfa5bea1baf1d260f9f03fe8267e628ec2e91d1162bed
SHA3-384 hash: 7aad1d9bbd44276e9adbecfdf6fb42fe83877ebc1ab37eb12fb2ff26bf904ee473af9e509debadbf92a545c59ae7c26e
SHA1 hash: 1b287ad1ddd25517b223d356e5de4664cae4de9f
MD5 hash: c376e7b5dd35d9895c6cdb9da53c98c2
humanhash: orange-avocado-fix-lion
File name:SecuriteInfo.com.Trojan.Packed2.42595.3450.18155
Download: download sample
Signature AgentTesla
Create hunting rule
File size:574'464 bytes
First seen:2020-10-02 00:45:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dxAen6w0Id++rz5eFOW3JwPe9zXJmemYp87LfJNi5h:3T5RrloC29zFrp8nfji5
Threatray 247 similar samples on MalwareBazaar
TLSH EBC4CF5831A13ADEC493CB318B5C7CB6D6906476630743A2B703117DEAED6D2FE247A2
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67609/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42595.3450.18155.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/479866
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292372 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Found malware configuration 2->31 33 Antivirus detection for dropped file 2->33 35 12 other signatures 2->35 7 SecuriteInfo.com.Trojan.Packed2.42595.3450.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\XAzdVdA.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmpD0D1.tmp, XML 7->21 dropped 23 SecuriteInfo.com.T....42595.3450.exe.log, ASCII 7->23 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Injects a PE file into a foreign processes 7->41 11 SecuriteInfo.com.Trojan.Packed2.42595.3450.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 smtp.usamilitarydept.com 11->25 27 us2.smtp.mailhostbox.com 208.91.199.223, 49724, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/729edfd38b623e9201ecfa5bea1baf1d260f9f03fe8267e628ec2e91d1162bed/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-09-28 01:08:58 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okpn7u4lmi7jeapm7jn6ug5pduta7hyd72bgpzri5qxjduiwfpwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19b8d7da5a00f2ef97531fda2db336b31c19a73c482e8528c21730a8ff372786
AgentTesla
2769e7180962969c0f1cfaa16850c17e6a44b298b3c5899d32b37366a090727d
AgentTesla
3e4483bff852f83c8c2e8fcf81f20c6473a296b7f9d3fbca391cff4303bb94d3
AgentTesla
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
AgentTesla
7b5cd0182b1122c0231fb30af6252fe4b0b9a9dd0962d14264ff1f09ced46943
AgentTesla
8ca10b0fcde48ff00c9218062eb8aefe2a9d3ddc5e240a9da4a2e7764cbfff90
AgentTesla
a394155e8d2a15fa55c36e9b679cb922fc07b598c207564434fc8c80ee046503
AgentTesla
c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1
AgentTesla
c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9
AgentTesla
eb8ac6c18675770e603ff7b7c3076cab5bafda10a3634d50d575185d04506708
AgentTesla
+ 237 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201002-52wd8n7z5a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
729edfd38b623e9201ecfa5bea1baf1d260f9f03fe8267e628ec2e91d1162bed
MD5 hash:
c376e7b5dd35d9895c6cdb9da53c98c2
SHA1 hash:
1b287ad1ddd25517b223d356e5de4664cae4de9f
Link:
https://www.unpac.me/results/ee4d4064-fda1-4b4c-9ee3-8bc32015aa40/
SH256 hash:
9f73d77a404a0f1e4d4a13e4c339ff867a4927f9b8afb483b9bf05323301bf54
MD5 hash:
0dc5fd9b8afc67b669d89dbecae0c6fa
SHA1 hash:
6e688190d5e1a10bcdc4731b8a983a276740a3ca
Link:
https://www.unpac.me/results/ee4d4064-fda1-4b4c-9ee3-8bc32015aa40/
SH256 hash:
c1571a9d5ed3b4ac56f09155242e1ef296db31becc31113524cfeddf502b9d30
MD5 hash:
1078cb64fa5046926b9b37daea2c35c8
SHA1 hash:
c57d94cda96dae8893cec0b1452c24092c254771
Link:
https://www.unpac.me/results/ee4d4064-fda1-4b4c-9ee3-8bc32015aa40/
SH256 hash:
729a1b125fb330463c22a87c061e384300f49bd9d6793836bb3e52bcb61cc03f
MD5 hash:
ac3f427e66b28b013b0b651c2f71d1e9
SHA1 hash:
ddf8b4b1d36aced75740632b41d30add06b5db3d
Link:
https://www.unpac.me/results/ee4d4064-fda1-4b4c-9ee3-8bc32015aa40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/729edfd38b623e9201ecfa5bea1baf1d260f9f03fe8267e628ec2e91d1162bed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67609/

Comments