MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87ef5ba8bdcbfaee9829e5fd425c328e63edcb4e35481126a6c11b2498f72ddd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	87ef5ba8bdcbfaee9829e5fd425c328e63edcb4e35481126a6c11b2498f72ddd
SHA3-384 hash:	04deca52996641bbae269f872da8167e8873d1356ec94e29094aafbb0b09bc01df0a17d07ef4f0ff18244de842844f49
SHA1 hash:	6723f08b281c81a49527178367077415e1856612
MD5 hash:	885515d0d143c056518c5f88d731d813
humanhash:	wolfram-asparagus-failed-sink
File name:	47c350dce3b46756a207a3dac3b55480
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	779'776 bytes
First seen:	2020-11-17 12:28:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	270bbf1087e39e0357f9ab6438b032cd (13 x AgentTesla, 5 x Loki, 2 x HawkEye)
ssdeep	12288:claYmr1bitxAPRli4mJLWrEJ7Sv9hAg6hFmOtAdfQIp8opk4YywH:chwitxAviZxEVvQmOtAKWLA
Threatray	2'893 similar samples on MalwareBazaar
TLSH	8BF4AF23E2A15837C163367BCC0B5AA8A935BD303D6898853BF41D389F39B9179193D7
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.LokiBot-9792233-0

Win.Dropper.LokiBot-9792246-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/87ef5ba8bdcbfaee9829e5fd425c328e63edcb4e35481126a6c11b2498f72ddd/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-11-17 12:31:47 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q7xvxkf5zp5o5gbj4x6uexbsrzr63s2ogvebcjvgyensjghxfxoq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc

AgentTesla

428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0

AgentTesla

8c3b25751ab09b3f9a6b6f9ce8271c13b5963565c2099077cfc9d30d6ff6abe7

AgentTesla

9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2

AgentTesla

ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501

AgentTesla

c076fb8aa8701a1255fad0401bc4d812fad82a0835fd2f95b9d7ade3fe9abec1

AgentTesla

ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b

AgentTesla

dbab006dbc87657b92920f2cf8aacaa990838af10c55262c5a18d12c8f16f45d

AgentTesla

ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df

AgentTesla

+ 2'883 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/201117-mhtrhcn2qx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

87ef5ba8bdcbfaee9829e5fd425c328e63edcb4e35481126a6c11b2498f72ddd

MD5 hash:

885515d0d143c056518c5f88d731d813

SHA1 hash:

6723f08b281c81a49527178367077415e1856612

Link:

https://www.unpac.me/results/8523b697-cef4-4ac9-ae41-bbb05003f6de/

SH256 hash:

a5d0af9f5c5f07eb47e207e74434c44f1083ebc33d98458a83a78fe8fea0e4a3

MD5 hash:

7cdfd67e71d2cf0eb446c08f5193666e

SHA1 hash:

33f0a8d1c2f18a617012ba1381ebe3caea4e27ac

Link:

https://www.unpac.me/results/8523b697-cef4-4ac9-ae41-bbb05003f6de/

SH256 hash:

26dc2f3cbcff2fdea8a28929fca758567774ad6130499b3f085514ced6e43dac

MD5 hash:

3a5104650a7a8a8f0893a446174af1b2

SHA1 hash:

a9d0d9496e8a6d2850c748576ab107c7e5cbea5b

Link:

https://www.unpac.me/results/8523b697-cef4-4ac9-ae41-bbb05003f6de/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample