MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52
SHA3-384 hash: 6b11a93f5ee74f184e204bc5168b91dbd22090d24eb27325e3b8ec3b680ad2a27cfdb4402f4f5fbab67be24ab377f69c
SHA1 hash: cfc53ed4478b8d401e543f416dd26c186c5334d5
MD5 hash: 7f9e3202a1d949772c5e5d003fc4e88c
humanhash: venus-uncle-hot-fix
File name:SecuriteInfo.com.BackDoor.SpyBotNET.25.30157.2637
Download: download sample
Signature AgentTesla
Create hunting rule
File size:124'368 bytes
First seen:2020-11-25 13:40:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:whxqi0eLcocflB2+vt/YvYGbvHfvL5eUf:whxVLcogr/vthab
Threatray 1'493 similar samples on MalwareBazaar
TLSH BBC3862BAADC7DE1C3B443746B7383D0D328FC4A42B0E56D60D9A5E654BC0973A1ABC5
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105637/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546973
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322589 Sample: SecuriteInfo.com.BackDoor.S... Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 5 other signatures 2->38 7 SecuriteInfo.com.BackDoor.SpyBotNET.25.30157.exe 15 3 2->7         started        process3 dnsIp4 22 hastebin.com 104.24.127.89, 443, 49732 CLOUDFLARENETUS United States 7->22 24 192.168.2.1 unknown unknown 7->24 20 SecuriteInfo.com.B...ET.25.30157.exe.log, ASCII 7->20 dropped 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->42 44 Injects a PE file into a foreign processes 7->44 12 SecuriteInfo.com.BackDoor.SpyBotNET.25.30157.exe 6 7->12         started        16 timeout.exe 1 7->16         started        file5 signatures6 process7 dnsIp8 26 mail.plasticosenres.com.mx 192.254.250.49, 49770, 49771, 587 UNIFIEDLAYER-AS-1US United States 12->26 28 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.42.25, 443, 49769 AMAZON-AESUS United States 12->28 30 2 other IPs or domains 12->30 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 2 other signatures 12->52 18 conhost.exe 16->18         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 09:07:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2nmg5gnq3ocozxptboyurrci7cldkxpmhr5snp2rqbbvw4shvja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a41900b78aa8ad61d42ee6cf76f4045093ea691d6a0e0ab6d535f6bb6ddb907
AgentTesla
160bb1d1ffcdea76c664adfeed64f6fe3e16285baf9c4336ebb0caeddfcfd931
AgentTesla
199da37d02aa71c502adf3a623de188b25f7cb2001b4936a798ea8a6a9c20ad3
AgentTesla
3b274112221489ff1408360fbd3b4d691e5d0b10a28399fd2c4690336e6e9cdf
AgentTesla
45cd8607c8221613edb11abb3954bceccd4fcb97f54a2b18d7eb544363e7db9b
AgentTesla
87f83df5fdaabe9b71e77fe26640c185b8312cc5cbd34ebcc6dc047d72885299
AgentTesla
b1f530942db69e2f7a2823abab2ecc03eaed957101e7e6a7b53af823765df3a7
AgentTesla
b5aeb6d277320df561d9bb77a95e976c5527c17441292ec7b5bafc441fe746d0
AgentTesla
e3dbadc32e9e198eb9c03b3c8a29bb4569838eb7089ed761aea6a496eb8f8157
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 1'483 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201125-naj7k12x9a/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52
MD5 hash:
7f9e3202a1d949772c5e5d003fc4e88c
SHA1 hash:
cfc53ed4478b8d401e543f416dd26c186c5334d5
Link:
https://www.unpac.me/results/717353ce-f399-40f1-9cb8-d93004affcde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/852872/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105637/

Comments