MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28
SHA3-384 hash: 8f63e7d647a79505e90c8057371498ada70d70f4519dd2921a3252c85424b579964d35b7737fcc5d400e02030cc23bc3
SHA1 hash: 2d64033647906613abfbe2da8176b768d88b9fd5
MD5 hash: ad44d5764bd7ad4db1e725b66f01498e
humanhash: neptune-vermont-colorado-friend
File name:SecuriteInfo.com.Variant.Bulz.463152.17172.32601
Download: download sample
Signature AgentTesla
Create hunting rule
File size:740'664 bytes
First seen:2021-05-07 09:53:02 UTC
Last seen:2021-05-07 10:01:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:L1fxhwL8mLAHefRIZtbVqrTwqEZCK/hYwkEP/1E/hwceg:ZZyJAH/ZtxqEZ5ZVJwFz
Threatray 4'579 similar samples on MalwareBazaar
TLSH CCF47D0427E85B97C2AE03B9E198E63573F5DE05A25AAB4B680BF9F53F7339045009D3
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/152572/
Detection(s):
SecuriteInfo.com.Variant.Bulz.463152.17172.32601.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/720056
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 16:25:56 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pggozphacopfal6wwi5h2fduqdjfufunsmjrxixft5nydxn6xmua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
127571a418fb8717e011f384d07787dadbd0aefce50a137c01a0ce8d6933e940
AgentTesla
1c4cbe5a3adfa0a596eabff32c6a43fe2f5fc2be1dcf71bddbd0c1200d7451a8
AgentTesla
604b83be28f2553e9db6a338a3a76c3c361d7ac61f475ff218f9ef440687cbcc
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
7a60f0565a5e3f4310090a6519ff72571a32d30bd4f89b641ce3aaccaab30b45
AgentTesla
89e80aaeb7d157eb24c0ad0f6336d0c496e8a706eb74e987b5bd4084d5abc7cd
AgentTesla
9898c37e93d4e9a054c013f34ca57c1aa9130112c9104386219f94e1125d0b97
AgentTesla
9af09f28e2254b8b942f1a81403815fdbbad3e38b5c509aed0cef2ccac413ef6
AgentTesla
e64b92bf32ded15a31b4d29b24e7bcd4f20a8af4a62832384bc7e027a9ea41bd
AgentTesla
f1f5174c7267e492c229c159fcbcd8e0c11678a9bca170066efbd9824d77b030
AgentTesla
+ 4'569 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210507-rzpjlqa3d6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c862ab218f11eaaa5d356bd01904c0ea3d43fe68eb036c6b8eb81d41885994ca
MD5 hash:
a0917197b5c165dd06394a61cd98871c
SHA1 hash:
7bbe1a918f28ba4ac63b8b2a6534e217fc32add2
Link:
https://www.unpac.me/results/13a4baa7-5f77-4804-a877-9f03b307cbf5/
SH256 hash:
912c1f8486738a79932552bc66774c76dc76baf3855109d0dff94b6741fd98d1
MD5 hash:
c40353f02cc73326d2c12f8a01d65b6d
SHA1 hash:
ee91766b15b0e7fc8354d61a71a686d60f7bd0dc
Link:
https://www.unpac.me/results/13a4baa7-5f77-4804-a877-9f03b307cbf5/
SH256 hash:
34bbea772d6bc2ffb6ff879346cf025379e6b65a7e76dcb94dbe61dc588ba9fa
MD5 hash:
a12bff5e88ef00d440dc169760b797d5
SHA1 hash:
fd4f32f1a3c5f9efc34ed101661f732cfac814b0
Link:
https://www.unpac.me/results/13a4baa7-5f77-4804-a877-9f03b307cbf5/
SH256 hash:
798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28
MD5 hash:
ad44d5764bd7ad4db1e725b66f01498e
SHA1 hash:
2d64033647906613abfbe2da8176b768d88b9fd5
Link:
https://www.unpac.me/results/13a4baa7-5f77-4804-a877-9f03b307cbf5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/152572/
  
URLhaus
https://urlhaus.abuse.ch/url/1203339/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 09:59:49 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program