MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78ea6e9ce4dc8bc4fc5dea97cab8ccd9128da9d8121824300e85e916cda5b190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	78ea6e9ce4dc8bc4fc5dea97cab8ccd9128da9d8121824300e85e916cda5b190
SHA3-384 hash:	7dcc5adad15ad059393ded2d09fbc5e9da648e0c03bc60f005ee5bd623e2bddaf9931b8971924de0698c98be16ed5484
SHA1 hash:	fcfa9a18564392b2ae6ffad14a057144110ab02a
MD5 hash:	325a3a8efc176a27303e00597e138274
humanhash:	blossom-robin-virginia-eleven
File name:	microD.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	529'920 bytes
First seen:	2021-06-29 19:22:35 UTC
Last seen:	2021-06-29 19:55:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:lqEFVzMFABwBiW4ic5p0VLol++vkHLt3Bcs7:lvaABwBirR5Ll++MHLAs
Threatray	6'427 similar samples on MalwareBazaar
TLSH	43B468EA317B512EF0D0AAFDA495504C05A28D4D6D5EA12C1946AA30E5FEF8D4F0FF32
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

microD.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-29 19:25:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/53c039b3-84ed-4725-a042-ad7c4c79966d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/168807/

Detection(s):

SecuriteInfo.com.MachineLearning.Anomalous.95.30940.14631.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ddec23ec-ada8-4ae9-b7c8-dc709d27ff82

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/809627

Signature

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/78ea6e9ce4dc8bc4fc5dea97cab8ccd9128da9d8121824300e85e916cda5b190/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pdvg5hhe3sf4j7c55kl4vogm3eji3koycimcimaoqxurntnfwgia._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

182c0e87117b2763f638ace1294239a1e6f779a293257d9f843365a77f9cb369

AgentTesla

34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3

AgentTesla

4a0f2f1f14fc6444a79ce4d326f75a43cef11c46b1e7f594cf434ae26ad40dcb

AgentTesla

69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c

AgentTesla

8e8b3b7c12c9e7113b882eb559fe9fd5cac868f8e3238942bcc9fa893521c5a4

AgentTesla

a5b4a1aa53134e93a392b7b90cc7c5d4a939d4f61bdf330de08d49fa1b4356ed

AgentTesla

c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca

AgentTesla

d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad

AgentTesla

efc33e49a1f2bb8a2caf20a3609c44170c3739c90c1e2f4f236961e13279a3b3

AgentTesla

+ 6'417 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210629-7fx3f9xcn2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1846926808:AAGk2IzxSb5N5fdYKiaTr2kIA9QAdWBcb1Y/sendDocument

Unpacked files

SH256 hash:

70f41753c5be42ea9c2e98acfd598db74687978125ed245bd98364a3fa0c6e42

MD5 hash:

0af1eb07366f7f64fc591386db800cbe

SHA1 hash:

b85a4785be3bcc99e0c18ba65c8edd5fdb2d103e

Link:

https://www.unpac.me/results/86b28774-2463-449c-b946-35336ab282d8/

SH256 hash:

9be36cac76cd4bf809e6d6b977aba2716e52075178246dbb5da64e5e378fb7ac

MD5 hash:

f8d92e0e905060818f750f1047d0f170

SHA1 hash:

b574fb1266eed4599c3b06464d721270f34e8a02

Link:

https://www.unpac.me/results/86b28774-2463-449c-b946-35336ab282d8/

SH256 hash:

b8eaf352e22eae3652188a7baa82c82737c11472db8a40dd087e7db1363e3e15

MD5 hash:

71bfb58ef4f1c64c62a190cb06643858

SHA1 hash:

7ef9bd7f00d18c93ab6f3d9c5a1a95ce61bd58d0

Link:

https://www.unpac.me/results/86b28774-2463-449c-b946-35336ab282d8/

SH256 hash:

78ea6e9ce4dc8bc4fc5dea97cab8ccd9128da9d8121824300e85e916cda5b190

MD5 hash:

325a3a8efc176a27303e00597e138274

SHA1 hash:

fcfa9a18564392b2ae6ffad14a057144110ab02a

Link:

https://www.unpac.me/results/86b28774-2463-449c-b946-35336ab282d8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/78ea6e9ce4dc8bc4fc5dea97cab8ccd9128da9d8121824300e85e916cda5b190

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/168807/

URLhaus

https://urlhaus.abuse.ch/url/1411476/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample