MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77e659fafb4e5164bcbe653e5b7c18c6a085fd157128d29d112dcc85ccd83442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77e659fafb4e5164bcbe653e5b7c18c6a085fd157128d29d112dcc85ccd83442
SHA3-384 hash: 9e9f51191c6395d0ef382f076cf8d979ad15a68cf090be8bffc967bfff4e94311560f3f91aa88a6fb545fd192f0c3e83
SHA1 hash: 2afc5bad266371a27bda7e2a5ed1fb3d4aa8a6bc
MD5 hash: 5a587c3875eb85b9df12e5a58cf97a77
humanhash: potato-nuts-tennessee-blossom
File name:fvsIPSwPrcbg1DQ.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:687'104 bytes
First seen:2022-04-04 16:54:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:MxBJ1K70/0nhbYU/D2vSd+wT4TjCfy0Tib7bsO6Ra2aAkS/I9lh/C:I1swmYU/D28YTufyiab8jAHLh
Threatray 15'427 similar samples on MalwareBazaar
TLSH T1A2E4E0382BF84652FABF4BFDD1A5814143F4B626984FE70E1AD160F92D37351C926A07
File icon (PE):PE icon
dhash icon a2aab28acad696aa (10 x Loki, 8 x AgentTesla, 8 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260702/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.34136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated packed remote.exe update.exe
Link:
https://www.filescan.io/uploads/624b230240ce5db9f404f44f/reports/c7223c5d-cc52-41e0-a002-387d6894fb13/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab2f34f7-1cd7-4595-9c4f-37f9846d958b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970289
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77e659fafb4e5164bcbe653e5b7c18c6a085fd157128d29d112dcc85ccd83442/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 10:28:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7tft6x3jziwjpf6mu7fw7ayy2qil7ivoeunfhirfxgiltgygrba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3e623a7b134fd08addeb0a34fefbf9fce20e69b422ae17273e5273d3fc73ba9a
AgentTesla
65111c916600ffd7c9407db3a70147e7333a2d6e504c049c548e58db09a6ff6a
AgentTesla
8802a6f507c02074894fae7351418312e6fded323950238e06691adb61da984f
AgentTesla
8f4007f0c6f570327d5026756b4a48c8a776a6a9516b28a83913307d3db760f7
AgentTesla
a34bb1db3e08504165af011b4f7f70c4143e654117fb3cb8f5ba5374c0f6807a
AgentTesla
addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918
AgentTesla
be7618e17ee02d548fd4c9ce00e3075eaea5a3c3bb2cb649ca71cca58f391372
AgentTesla
dfca2f8f463f035fbf2e00c4c2791d931a905cacea11a14ebfcba3b09554308b
AgentTesla
f6d0dff73d9ce1016095bd9f8ab244b8a651e96ef43dfc4581d0e9c7b442ed56
AgentTesla
+ 15'417 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220404-ve4pxadccn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
00f95d649582f722c7c41d80c9794cd95279cca5db5ae1305e1e65dc122cf5e9
MD5 hash:
124b23d00f552c7bcebbf17148224205
SHA1 hash:
f95322b6b61e731fcc1852cee7357f4fce629d50
Link:
https://www.unpac.me/results/3afbedb7-b931-4c66-ac3c-e772c0adae35/
SH256 hash:
358963e4482a4e5af9e71c8def1e73469df2067223641adbcc01bd9f945e3459
MD5 hash:
0f3e5f865637f7ada30006f21977383a
SHA1 hash:
881f7804bb1dfaf6b40ba0dcb1250af6c1331409
Link:
https://www.unpac.me/results/3afbedb7-b931-4c66-ac3c-e772c0adae35/
SH256 hash:
32fb8e9f3886d2d90f1f3fbb267b542e0d015ff43cd2e089b3d9a81164b9c14e
MD5 hash:
1745d29bb386e05c5a49ae0e3ec8d28e
SHA1 hash:
35d6034a1fede6752bf2ffc8eb477f94122ce5df
Link:
https://www.unpac.me/results/3afbedb7-b931-4c66-ac3c-e772c0adae35/
SH256 hash:
71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4
MD5 hash:
bfcf754fb9acba752f79f44817b7be23
SHA1 hash:
01af19456b6f97790973d0d67a97ecc362ab7aed
Link:
https://www.unpac.me/results/3afbedb7-b931-4c66-ac3c-e772c0adae35/
SH256 hash:
77e659fafb4e5164bcbe653e5b7c18c6a085fd157128d29d112dcc85ccd83442
MD5 hash:
5a587c3875eb85b9df12e5a58cf97a77
SHA1 hash:
2afc5bad266371a27bda7e2a5ed1fb3d4aa8a6bc
Link:
https://www.unpac.me/results/3afbedb7-b931-4c66-ac3c-e772c0adae35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77e659fafb4e5164bcbe653e5b7c18c6a085fd157128d29d112dcc85ccd83442

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 77e659fafb4e5164bcbe653e5b7c18c6a085fd157128d29d112dcc85ccd83442

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/260702/

Comments