MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78a4a4daa01d5c5456db2c27fdd985885775bd94be0c179ad739fc462630f70b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78a4a4daa01d5c5456db2c27fdd985885775bd94be0c179ad739fc462630f70b
SHA3-384 hash: 6ddce2261a33a3c00fc1ec223dc8c821f62f2bb0b0db1adb0edaccc1feea805653681c7247bd19956a9e5647e9a9da50
SHA1 hash: 5ecb5b69dff30f6d05d961c02c3e1dcede506b3a
MD5 hash: 95797239fa8d82fa61fc8041afb36411
humanhash: blossom-pip-don-sad
File name:PI-FD277578.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'231'872 bytes
First seen:2021-05-24 16:10:30 UTC
Last seen:2021-05-24 17:04:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:LW0BCiUaF9nS5AYLve5xOzbkfSusW8sXzk1odwQ9+lor91pwiT5KJ1:pBCihuOx8g6BNcyodw+HwiTg
Threatray 5'190 similar samples on MalwareBazaar
TLSH 6645052DA206E080F55DD0B1CED0AAF6D402EF3BD6262D1795C73F81713AE563A3A15E
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI-FD277578.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-24 23:02:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/25039bf8-7269-4196-a3dd-22d00064b847

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790648
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423045 Sample: PI-FD277578.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected AgentTesla 2->51 53 5 other signatures 2->53 6 PI-FD277578.exe 3 2->6         started        10 YYtJku.exe 3 2->10         started        12 YYtJku.exe 2 2->12         started        process3 file4 27 C:\Users\user\AppData\...\PI-FD277578.exe.log, ASCII 6->27 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->57 59 Injects a PE file into a foreign processes 6->59 14 PI-FD277578.exe 2 5 6->14         started        19 PI-FD277578.exe 6->19         started        61 Multi AV Scanner detection for dropped file 10->61 21 YYtJku.exe 2 10->21         started        23 YYtJku.exe 2 12->23         started        25 YYtJku.exe 12->25         started        signatures5 process6 dnsIp7 33 transagui.com 176.9.182.156, 49735, 587 HETZNER-ASDE Germany 14->33 35 mail.transagui.com 14->35 37 192.168.2.1 unknown unknown 14->37 29 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 14->29 dropped 31 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 14->31 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Moves itself to temp directory 14->41 43 Tries to steal Mail credentials (via file access) 14->43 45 3 other signatures 14->45 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78a4a4daa01d5c5456db2c27fdd985885775bd94be0c179ad739fc462630f70b/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 16:11:21 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcskjwvadvofivw3fqt73wmfrblxlpmuxygbpgwxhh6emjrq64fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0862accb403349f37941cc6f8c3cf104bed79dc2b1b1874e397a9b624292ace4
AgentTesla
13af5e008abf4380ac84c6edc70d188bdb18ddb613c7ffaaec39085cf0a43e45
AgentTesla
1b5f7e3c38243fb9d77e6ae12cc72f1aabcbf9cc083ef585f24ee9e898c19a88
AgentTesla
1db4fe5caaef2c6989032955ac7fe51d1b62684c5a3f34f0c58510e100637a28
AgentTesla
755609ffa45b84235de59f8c546c2c2f5e95e40e3ca6df1eca35adcd47b2f7ba
AgentTesla
95dc848ddbe95acc3ac77fc7adccae12b8668312b2a932e1c3e80d5a134a20ce
AgentTesla
996872584e3d5314e62439ed80748b3cb4896b29e251aa56903d17475d3e10fe
AgentTesla
d5da6430a92bdd15260c088d86e44ce5ef30bc1502976a6c6a22991f86506a89
AgentTesla
d817a7d4edf2e702871ff97008940026302bce1efcf1bde560d3323a577c1011
AgentTesla
f447a943893a7871b02a8a6cc992c31604b3bd6ff6f2ec184a3af14f3384954d
AgentTesla
+ 5'180 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210524-al7643wzq2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78a4a4daa01d5c5456db2c27fdd985885775bd94be0c179ad739fc462630f70b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 78a4a4daa01d5c5456db2c27fdd985885775bd94be0c179ad739fc462630f70b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments