MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 743f2455a7a6da6adcd800890c675181ce9cf56ac9e30e13106f50b19e53010e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	743f2455a7a6da6adcd800890c675181ce9cf56ac9e30e13106f50b19e53010e
SHA3-384 hash:	164b3e8365d1a0d2aef00b5580414d370dacb38f1c0c3d9b543a56362b549f7a8c3e94aa930281f87265e3caa5e30175
SHA1 hash:	0b42ec4e8fe6e23e1e43a9eb72c9e1004a5619f1
MD5 hash:	bf300e4cb042c9439252fa3e41ba56d2
humanhash:	minnesota-early-wyoming-helium
File name:	AWB-18267638920511_Pl.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	921'088 bytes
First seen:	2021-06-15 06:50:43 UTC
Last seen:	2021-06-15 08:01:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:MSk/PSMPQipP5h2rCCU9aKkUv1cYgPKc6ys+tIlMvF4koWi++S3w91VoBv9YR:MSk/Sip6GZxv29XDs+zojH
Threatray	5'852 similar samples on MalwareBazaar
TLSH	E315BE575ECE53AFC6658CB69B30AC56C2311CBA260963123DC234BDD93F1EEC99E412
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AWB-18267638920511_Pl.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-15 06:50:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6d3c920e-c86e-4925-b113-092ab0f00381

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/166395/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.19534.6872.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2ac49d3c-9674-4b97-8a93-8af0281d1e2b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/802190

Signature

.NET source code contains very large array initializations

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/743f2455a7a6da6adcd800890c675181ce9cf56ac9e30e13106f50b19e53010e/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-06-15 05:03:07 UTC

AV detection:

13 of 46 (28.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oq7sivnhu3ngvxgyaceqyz2rqhhjz5lkzhrq4eyqn5ildhstaeha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

17d2636add9f6f880c490347fbd54ed7f054eb37954eadcd04992efdb81d9204

AgentTesla

1f487a7364066794ee06ac5c009cc9db1e7a1547857feef5e4495131a8743b78

AgentTesla

24b4837e45a3ffd294a685797f1c05c86900890970917456d7e14eec8b621e5a

AgentTesla

30a8c0df00327395c8b1beef758c41cc14a6c93b08b06d9bbd7436387c699222

AgentTesla

5b47e23b2eedf1f1c3fb2f38b573e783920befab88279c2eebd229f5507f6934

AgentTesla

960c29fb936458bf529e1ce90138a6d5de5c5c49e18ae552b19de309080fb4ed

AgentTesla

bdc9849371891b1cab4067f7ae50dbdf2992967750f9385731ec436a7f316300

AgentTesla

c56b99ff57c329dadabc8f03ae1dc2b35cc116830e594820f16326ca531ea21c

AgentTesla

ef84990e67f10821c9df29ad5297f27ba151bb4c6f247010373e8ebab2d647e0

AgentTesla

+ 5'842 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210615-msyntr5e5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

4ffe20888a9ab3c7423fb84397261d9bb9b9cee395cf729d0036fdd4721ce0f5

MD5 hash:

4d0a9f19a63ed4f9c73d10086913304f

SHA1 hash:

a5d19af36261974ae8d4f075541c546158a2aabc

Link:

https://www.unpac.me/results/1dd347ea-b95d-436e-8b81-f4c6d185f202/

SH256 hash:

8e5bbf4c92c653c6256b052cfdb4372196a02bfea0510c25f34ea998f6a2b66e

MD5 hash:

7aedb288d3185806678a4583b930f70c

SHA1 hash:

50a1c6bd69b8e2e281447946e5dc97d365f787b2

Link:

https://www.unpac.me/results/1dd347ea-b95d-436e-8b81-f4c6d185f202/

SH256 hash:

929f8bcc27902ccfd5c98cf7ca66b224e400b890bd1915bf9c62b7bc6033a209

MD5 hash:

01116af782e7670f4976e81a0318ec0a

SHA1 hash:

41a5186352e11a4a9601b4f01e47a24810114c85

Link:

https://www.unpac.me/results/1dd347ea-b95d-436e-8b81-f4c6d185f202/

SH256 hash:

743f2455a7a6da6adcd800890c675181ce9cf56ac9e30e13106f50b19e53010e

MD5 hash:

bf300e4cb042c9439252fa3e41ba56d2

SHA1 hash:

0b42ec4e8fe6e23e1e43a9eb72c9e1004a5619f1

Link:

https://www.unpac.me/results/1dd347ea-b95d-436e-8b81-f4c6d185f202/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.58

Link:

https://yomi.yoroi.company/submissions/743f2455a7a6da6adcd800890c675181ce9cf56ac9e30e13106f50b19e53010e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166395/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample