MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82e807d1ea280e220a5340a2a1530d244ddd6f985b519a8717ed8f21be3dd63b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82e807d1ea280e220a5340a2a1530d244ddd6f985b519a8717ed8f21be3dd63b
SHA3-384 hash: 34d754ae1fb9c54fb3882353fb3e1416c99872edab312d7cb1426c970fa8f0087433f71a044696d882f76352509e65b9
SHA1 hash: 204a66f29262f423d38a369a90a6f83d3ff51be1
MD5 hash: 10be05a41e91b207148e575a59ab3081
humanhash: gee-hydrogen-kentucky-edward
File name:12-17.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'196'544 bytes
First seen:2021-07-07 12:23:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:RpxWH1VV/V072ww0zTbL/P/UClgUOpX0biYuWOBfWlB:HG/OnwezP/UClgU3biBBBE
Threatray 6'736 similar samples on MalwareBazaar
TLSH 2845DF7630328A92CEAFC7F94731211E4F6DAFFE914BB6741885B17800F4B5E4A5192B
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12-17.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 12:27:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e70e20f-1337-422f-8b0a-24ad3ecaeb6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170176/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DLO-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a9d138a-c916-4f9a-8e6f-7208700be496
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812845
Signature
Found malware configuration
Installs a global keyboard hook
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82e807d1ea280e220a5340a2a1530d244ddd6f985b519a8717ed8f21be3dd63b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 09:07:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qluapupkfahcecsticrkcuynerg5234ylnizvbyx5whsdpr52y5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f974bcf811dbe6c365320b6edfc39895131b0cc09810ea297c1d5a62b05d5c0
AgentTesla
3fdc44d1ff4ac710c14a0bf17282299352f959c050d8d62d49890a1a57a424ce
AgentTesla
6bb719834486c1edde90d47c165b4e24bcaeb4f0e9ac7468ad95b1d62e918a70
AgentTesla
8636a1af1afb3fa83c218cbc4a18f37782b835d4ab8b27148d6f99cb849453a3
AgentTesla
8a2787b56ac9b4c4d6189a64b5e39f6c827fdde2170b3e756b96345a3d178733
AgentTesla
a17de11c47636ac63c23de8fc6da983f6c7a90d2d36a50cb658716f655a666d5
AgentTesla
a59cd566e964fe38be3058e79c54028ad8c95dcc08ee1168559f016c9abc6ae4
AgentTesla
a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c
AgentTesla
eb382466c9d42e533fb2fdcd053f0603a5d62a455b7ccf3fe5fa856bbcdcf3b7
AgentTesla
f10a1fd4fedbf220dd6352bb5dbc8a79647b09dc6a511eadb1c5ad069c98dd3b
AgentTesla
+ 6'726 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210707-ftms7hvmbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
49018641a3cc3b84a160d0b0af81d89901873f1e4614bc9dbdda92c666cfbdcc
MD5 hash:
db21fb36d1b9cabdb953fd888879c7c7
SHA1 hash:
dc97a689e3b69d91067bf152a0c37baf5f335965
Link:
https://www.unpac.me/results/14cfbb74-a1e6-4180-bd5a-c83522aef406/
SH256 hash:
4c25c30f4c01c1a6d4a66acb0064c6f6b5e492100810f796d3e56107c7af2025
MD5 hash:
4f4321840676229ac7274f6cc00f419c
SHA1 hash:
569c6c52a9fbbc8f23120c008d0fb1decda90ad6
Link:
https://www.unpac.me/results/14cfbb74-a1e6-4180-bd5a-c83522aef406/
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/14cfbb74-a1e6-4180-bd5a-c83522aef406/
SH256 hash:
82e807d1ea280e220a5340a2a1530d244ddd6f985b519a8717ed8f21be3dd63b
MD5 hash:
10be05a41e91b207148e575a59ab3081
SHA1 hash:
204a66f29262f423d38a369a90a6f83d3ff51be1
Link:
https://www.unpac.me/results/14cfbb74-a1e6-4180-bd5a-c83522aef406/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82e807d1ea280e220a5340a2a1530d244ddd6f985b519a8717ed8f21be3dd63b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 a9b03983f5a4ee070a257b4abceb58ad40100b0222d4a16b13eecdb376d9e119

AgentTesla

Executable exe 82e807d1ea280e220a5340a2a1530d244ddd6f985b519a8717ed8f21be3dd63b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a9b03983f5a4ee070a257b4abceb58ad40100b0222d4a16b13eecdb376d9e119
Cape
Cape
https://www.capesandbox.com/analysis/170176/

Comments