MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869
SHA3-384 hash: 74137381c51b7423ad01df23412fa0952b0875fd14f7aa12b0576cf81bbdb6febc8a28679ed29fd613ac58062ed13391
SHA1 hash: 785f5338f7b61e73235b54d8b88fbee2e050f4cd
MD5 hash: fab737288d9c9d4bd5a36f039c2cb473
humanhash: lake-potato-william-tango
File name:fab737288d9c9d4bd5a36f039c2cb473.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:720'896 bytes
First seen:2020-10-06 05:22:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41cd3d95714b0df8060323fdc67b3eba (10 x AgentTesla, 6 x Loki, 1 x MassLogger)
ssdeep 12288:LcAt9L2fndhBK2w3p3z+iqiBZdMuWD9gPv8N7bwJvsa2D2sEC:5HqhBFgBg6iEmFD2sEC
Threatray 1'239 similar samples on MalwareBazaar
TLSH 57E49DE2A2E14833C1671A3D9CDB6774DC2ABE503D68A9463FE4DC4C9F396817819393
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68370/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482235
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293555 Sample: g6lcXmy4dJ.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 25 Yara detected AgentTesla 2->25 27 Machine Learning detection for sample 2->27 6 newapp.exe 2->6         started        9 g6lcXmy4dJ.exe 2->9         started        11 newapp.exe 2->11         started        process3 signatures4 29 Detected unpacking (changes PE section rights) 6->29 31 Detected unpacking (creates a PE file in dynamic memory) 6->31 33 Detected unpacking (overwrites its own PE header) 6->33 41 3 other signatures 6->41 13 newapp.exe 4 6->13         started        35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->37 39 Maps a DLL or memory area into another process 9->39 16 g6lcXmy4dJ.exe 2 7 9->16         started        19 newapp.exe 4 11->19         started        process5 file6 43 Tries to harvest and steal browser information (history, passwords, etc) 13->43 21 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->21 dropped 23 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 16->23 dropped 45 Tries to steal Mail credentials (via file access) 16->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->47 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 05:24:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfhtxhoiv2r5riwefuhnuj3zom7hydpk5itfzqfvxz342h5gxbuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241
AgentTesla
8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
AgentTesla
c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0
AgentTesla
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
AgentTesla
f684db86a351d46abae72b79e26a108b75365f2c4819818f0e353f94326042ea
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 1'229 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx spyware persistence
Link:
https://tria.ge/reports/201006-tdl8l4xvbx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869
MD5 hash:
fab737288d9c9d4bd5a36f039c2cb473
SHA1 hash:
785f5338f7b61e73235b54d8b88fbee2e050f4cd
Link:
https://www.unpac.me/results/b4d529c4-789f-4842-8fdc-6f0b3d90e0b1/
SH256 hash:
f54842980cba8deabaa9cb132049c69b436fa3e1fdf63a510ccee7f1eafbf2c8
MD5 hash:
4eb70431aceb01cfef345075ee6934ac
SHA1 hash:
bcb8a7c52ed7e1e7a0e96e883d6c389f4cec243c
Link:
https://www.unpac.me/results/b4d529c4-789f-4842-8fdc-6f0b3d90e0b1/
SH256 hash:
75d876c6f5f63dde11338c00dc28ddc3472be9a5091154d4c0df20a0a4f91c81
MD5 hash:
58e38fad612f4aadfdde344cb38dc1d4
SHA1 hash:
7faf38b024b6b520f505ee1ae68e81292645fe12
Link:
https://www.unpac.me/results/b4d529c4-789f-4842-8fdc-6f0b3d90e0b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68370/
  
URLhaus
https://urlhaus.abuse.ch/url/460184/
  
Delivery method
Distributed via web download

Comments