MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 904632626923d50a1b7fe8d29b6d991c8a1c8951700c19a755fe7049fc159e61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 904632626923d50a1b7fe8d29b6d991c8a1c8951700c19a755fe7049fc159e61
SHA3-384 hash: 86d0d17135b7122159eee2b64f59d7ee6dfc3bf5fe74534c380af54b2dc3f20c875dd7c8332263c1335b1519de546a1c
SHA1 hash: 51b453b7f630d7526676fc93659646db83f2e183
MD5 hash: 2b61a2660d3c0880f52565c35fea22f5
humanhash: beer-crazy-mirror-mars
File name:2b61a266_by_Libranalysis
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'068'032 bytes
First seen:2021-05-20 13:06:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:vmiuqQpa3e416lnxlYOxzmcDKwmvzqBHZr+F2:vm9mx16TCOzmwmvE
Threatray 10'461 similar samples on MalwareBazaar
TLSH 1035AE9C725075DFCA6FC832DA946C18A6246C77572BD247944337A9AA3CD8BDF080F2
Reporter Libranalysis
Tags:AgentTesla


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
APRIL SOA.exe.xz
Verdict:
Malicious activity
Analysis date:
2021-05-20 12:05:09 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/ce5a7b29-72e8-465a-8dbe-39852b5e1b60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/159627/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/904632626923d50a1b7fe8d29b6d991c8a1c8951700c19a755fe7049fc159e61/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 08:57:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbddeytjepkqug375djjw3mzdsfbzckroagbtj2v7zyet7avtzqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0692a4e8916df354987539ff2781631f65e7b691df4f558b6b510ab5c63bd070
AgentTesla
181b436606385b404b6828b72f419b388117f1bc2005b442966353a8ef08ca86
AgentTesla
41d8ddd107ac1ed543bfec8a2272414253a51277d75f0802c3c297aa0559c04f
AgentTesla
56b3bea2f71214ea2365ccf150c11c357d4e227db44ca064959243ccc257e9bd
AgentTesla
7d85dcd63ce189a5b1ab36d5c18063a1a2bf20204d93d1e21c35d825cf4a2585
AgentTesla
8625e20198515d3003559f7c7f56548dbac4919fb0f67f89f90f81f6d926a71d
AgentTesla
89203c9d1ba98fde5ac5baad12944bc68d9a8b1a21a0bb61526daaca06d7b189
AgentTesla
97c2ee3d3eebd8f4b99e0f4b4b7069e5a9a43c6cefb62369cdb0d0a2be67919e
AgentTesla
aa731bac3bac456751072d7a2062899e999d6437f085f893f4a5130784e161dc
AgentTesla
ddee3ca744c732bbbae51bf179fdd92c59f80f75222ddf219456059886917165
AgentTesla
+ 10'451 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210520-hkzd75s3qx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/904632626923d50a1b7fe8d29b6d991c8a1c8951700c19a755fe7049fc159e61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/159627/

Comments