MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 899e2f5c52bac581700ff4de606d995fd0661fb540f612c91484b10ae623a12b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 899e2f5c52bac581700ff4de606d995fd0661fb540f612c91484b10ae623a12b
SHA3-384 hash: a92f77a560dc4c77ce6f6a38e46e0bd9a993f8a1735ae1f4401081feddc8ade59857acb0f1a3cd7c7a7a8e87e588c1dc
SHA1 hash: 3e3e9584a231d1e52f0e93a3b6541f1abfbd4fb9
MD5 hash: 50abf9c5eb12778328a41c18e9a84300
humanhash: six-north-kilo-indigo
File name:50abf9c5eb12778328a41c18e9a84300.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:558'388 bytes
First seen:2022-03-22 18:49:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:npdxGqPiHPiEXAfYFR76oKihQ93ENTaHfR6eglC844:nnxeHqEQAFR73KihQ9MUfyC8V
Threatray 19'508 similar samples on MalwareBazaar
TLSH T131C401487774D937E7FA1932B576C27C1AB87E6C1D9A02023A403FBE3E766596E04342
File icon (PE):PE icon
dhash icon c094bcb8f2daec96 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255086/
Detection(s):
SecuriteInfo.com.MemScan.Trojan.GenericKDZ.85536.1966.27427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Moving a file to the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623a1aa40cd58dbd92d8b0b0/reports/697266d2-e46a-44a5-b3ab-6d5d51693689/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/876dc1f2-5d1f-4957-a6dc-f414d880107d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962065
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/899e2f5c52bac581700ff4de606d995fd0661fb540f612c91484b10ae623a12b/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 18:50:23 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgpc6xcsxlcyc4ap6tpga3mzl7igmh5vid3bfsiuqsyqvzrduevq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
084a4f35a98c5a296639d91e597da23cfaba7816ea5a73cfbe92828c937c30a9
AgentTesla
59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad
AgentTesla
8399c97b606bb6613f99006964a47064e402e6489574b85db7a9872f601886b2
AgentTesla
a2b2e93fcc1c3fbeeb4d102c97738528846c1cad2688b7c7e09e80cd84063bbc
AgentTesla
b02c375b4bf0c4308b40e5de7ec321a443d8c01eda9adf19a61dac36b0f59596
AgentTesla
f3457b15e193b2fa2ce2fff91da46d671208034e010091cf1f88cc0231f35f71
AgentTesla
+ 19'498 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220322-xgyyjsgff7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
be4b2e0f4da8817fe1f27f145dab8e502e049a701a540e161235eec245335948
MD5 hash:
5040a3ea877849d413592586f729e9ca
SHA1 hash:
719cc6a04352e29f1f3cc555f207726d7e10fa58
Link:
https://www.unpac.me/results/bed78730-51db-4ab2-a47e-179f70f98f8b/
SH256 hash:
89f60835ea21c3f03504c2058b048c22cc7c8f33deb6ba1cc10f18dbbec7929a
MD5 hash:
64a1d4a1389bb5138d38fbbef5f3dbc1
SHA1 hash:
2c91b026aa4a4b2c23bc190741877e9f73aebe1a
Link:
https://www.unpac.me/results/bed78730-51db-4ab2-a47e-179f70f98f8b/
SH256 hash:
4422b267564d07ad7a876f3398a21369d1c271db15c1c8126c1b8d8ead1b83f7
MD5 hash:
49993bcc9957a8c00a4bb73891e7b33b
SHA1 hash:
fb5bcc4043ce8b4d69d37780ffb01fbb05e41c74
Link:
https://www.unpac.me/results/bed78730-51db-4ab2-a47e-179f70f98f8b/
SH256 hash:
899e2f5c52bac581700ff4de606d995fd0661fb540f612c91484b10ae623a12b
MD5 hash:
50abf9c5eb12778328a41c18e9a84300
SHA1 hash:
3e3e9584a231d1e52f0e93a3b6541f1abfbd4fb9
Link:
https://www.unpac.me/results/bed78730-51db-4ab2-a47e-179f70f98f8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/899e2f5c52bac581700ff4de606d995fd0661fb540f612c91484b10ae623a12b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 899e2f5c52bac581700ff4de606d995fd0661fb540f612c91484b10ae623a12b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2110870/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/255086/
  
URLhaus
https://urlhaus.abuse.ch/url/2108892/

Comments