MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7
SHA3-384 hash: 16038f84c10d7336ee8be69b99d18ac65655d6d8232c13b841f2069d7ea0c5d506884bd967dd27179d653035dc8e8f94
SHA1 hash: eb533a1cc37996de7e1ecaecd310d273d63f2fc6
MD5 hash: 693c29f267cb5bc212a653859426a1d2
humanhash: nuts-angel-mobile-robin
File name:PO#MT20-0582.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:456'192 bytes
First seen:2020-11-25 07:20:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:woX23X4M7L5pTq5pj5s5JbD9OSX1HaVwPTcprqQCXBaz8RO8aMsns:wRX4gTTwpFsrtOQtDTdQl6O8Ms
Threatray 34 similar samples on MalwareBazaar
TLSH FDA4C0B4746D9852F21F4537D6FABD9403B2B7839AC7ED88536CF29106A3361BE0580E
Reporter Anonymous
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546684
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 03:43:40 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q53dkr7jdil4obynscvtmgkbljdq5c7uhf5fpljy2cz52q74ixdq._file
Verdict:
malicious
Similar samples:
1e9ff9549343dcb17dcb137508657a94e5503579e0e0741443b27c732b62fa5c
AgentTesla
3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963
AgentTesla
40e91b54dfb08b396759074f6018c28433f771a9c6c66ff5b1789d786c591c87
AgentTesla
50e7b9a736f734ffd4d57d93f93a89e454a4e5147ec7dac2c3f3e5f5fee6fd5f
AgentTesla
68c3bc52831c9df86039c85e4e896413bb7ccba3a85827a3ac32909c68e582dd
AgentTesla
69c0dfdb136e864341810ac7ac86ce413c9de466d775651e5bf6eeeeebb0e7c2
AgentTesla
b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9
AgentTesla
b8f8eab3a49bec6b9306853e8e5e2da49ba66b5773b259a2d6edfba479d10e85
AgentTesla
c582dac0f0f94c07579c35ab71f62b25bf499123d3bea89a33a6b8a80ee3325c
AgentTesla
f7f3acea6b67e6b5db697777ab0bd656febfe648e4d79519010ba805e329fdc0
AgentTesla
+ 24 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201125-21jnrpa78j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7
MD5 hash:
693c29f267cb5bc212a653859426a1d2
SHA1 hash:
eb533a1cc37996de7e1ecaecd310d273d63f2fc6
Link:
https://www.unpac.me/results/24c91ec9-e463-4f22-9619-28701d66c1f5/
SH256 hash:
5ef2068a6ab5d7cdc1fc7098113474a4505a5ed49278183261cffb198895920d
MD5 hash:
0b73b9246dd0c51afd56967bd96d782e
SHA1 hash:
3ba01f38ee1a9e729b3ce66c768db4ddd5260288
Link:
https://www.unpac.me/results/24c91ec9-e463-4f22-9619-28701d66c1f5/
SH256 hash:
fac64dda701144bb51ea2a19a0e37ee47871c5486cd95076236985748f435511
MD5 hash:
27c6843f29090e0a7930f3d04ca1f344
SHA1 hash:
75b454ca1540b155c3f1affc299e6065cb109be2
Link:
https://www.unpac.me/results/24c91ec9-e463-4f22-9619-28701d66c1f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105482/

Comments