MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa108a90029ccac4b3ca33b1df07f267d97b692b73a911ae343364bf3eea1ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fa108a90029ccac4b3ca33b1df07f267d97b692b73a911ae343364bf3eea1ff
SHA3-384 hash: 02e0b635ec3041a80be551e9e7197539272096daea3e70976b69ef2a43f3521010c326214233640bb36570ec739811d0
SHA1 hash: 82c8bdd558fd3ca49bc95d78f8fb0d3595f0ada0
MD5 hash: 59edd6116a47eaa6f21544244987ece0
humanhash: early-hawaii-six-north
File name:59edd6116a47eaa6f21544244987ece0.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'157'632 bytes
First seen:2021-04-26 18:04:19 UTC
Last seen:2021-05-06 12:37:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:IrToLLoS60/K7yh0UKTY4rJ+SWN1UgDApI7RkkhFIp241xp49pJDgFnKqFTdO/:IrToLAUWY4MrND/Ics49p5//
Threatray 10 similar samples on MalwareBazaar
TLSH CD35AFAC7A54A5F0D35B1D32A7CF4C1643351570B93BA60E8B6023BD1A73E173E3A989
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
59edd6116a47eaa6f21544244987ece0.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 18:09:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1964eb6b-ce0f-4b08-80d5-a05d971d7678

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144420/
Detection(s):
SecuriteInfo.com.Variant.Kryptik.174.21795.10777.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/698302
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 398068 Sample: RApK2RmjFR.exe Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 7 other signatures 2->35 7 RApK2RmjFR.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\...\tFKPZYcERmq.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp370D.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\RApK2RmjFR.exe.log, ASCII 7->23 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 11 RApK2RmjFR.exe 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 us2.smtp.mailhostbox.com 208.91.199.224, 49739, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->25 27 208.91.199.225, 49740, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 2 other signatures 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7fa108a90029ccac4b3ca33b1df07f267d97b692b73a911ae343364bf3eea1ff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 18:05:23 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6qqrkiafhgkysz4um5r34d7ez6zpnusw45jcgxdim3ex47ouh7q._file
Verdict:
unknown
Similar samples:
2fc3c25b29d03e4e3167f874a453eb44212071490864e0134ca406ecf14d74a6
AgentTesla
5579e53b061e5c449ca231a05e84e0c90cceada35d9e4677e083ee77ffe8718b
AgentTesla
638603145c3aac570237325613344a3fd83bf2fc737ee5acd8230e0ee1afb0f5
AgentTesla
6e85d010198944cd284d9fdc636e1d690d6c77b2e1bfabbc41e1f8941ea72332
AgentTesla
75c50efa907178d38b65adee406a6758288f7f69299dd2c26bee91e738a175f3
AgentTesla
a37509a6354a72dd281648e71465962fb4d12ec51cb0ea796d92684a36996f75
AgentTesla
a96f314ef38951221b646a5798f3086f7a7320c7cc669fe33238db949a058b3f
AgentTesla
c65cd2032c06e0dbfb61b04e33aca937bafe18760001ec39aaa83be81e8e4697
AgentTesla
e3736b761f2b82e91cbb074ea1345a6e1e103bb9cb4e043ff17eeb1705c70c94
AgentTesla
eb09747d42fcf03baf1c3d844ac469062b354defcdd6300a8c051c96b3d144c3
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210426-trztlt8q3s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/71437c21-4f24-43bd-a3c0-558ed58bad59/
SH256 hash:
f201fa680b5df9e591952eed0d31cea5d5489bfea09851721c1c3eeb55bb758f
MD5 hash:
18615c99962366f59e318377c6ae76ac
SHA1 hash:
d9fcb789a3a648a71fd8b82df8307089f405a9c4
Link:
https://www.unpac.me/results/71437c21-4f24-43bd-a3c0-558ed58bad59/
SH256 hash:
18ca424efac373b4ba6e19fb3e53a1e291bf5e085dae18ae9655b3e29f8e8904
MD5 hash:
46ecadb7fe30559f13a0fcd9c3ff2ebb
SHA1 hash:
614e94dc1f0424202dad5c52e73370b2653a005a
Link:
https://www.unpac.me/results/71437c21-4f24-43bd-a3c0-558ed58bad59/
SH256 hash:
7fa108a90029ccac4b3ca33b1df07f267d97b692b73a911ae343364bf3eea1ff
MD5 hash:
59edd6116a47eaa6f21544244987ece0
SHA1 hash:
82c8bdd558fd3ca49bc95d78f8fb0d3595f0ada0
Link:
https://www.unpac.me/results/71437c21-4f24-43bd-a3c0-558ed58bad59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fa108a90029ccac4b3ca33b1df07f267d97b692b73a911ae343364bf3eea1ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 7fa108a90029ccac4b3ca33b1df07f267d97b692b73a911ae343364bf3eea1ff

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/144420/
  
URLhaus
https://urlhaus.abuse.ch/url/1145522/
  
Delivery method
Distributed via web download

Comments