MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93f9d8f95b515c1ec624f934ac92d08c29fdef1ea49e69ac33c0882ba7373fba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93f9d8f95b515c1ec624f934ac92d08c29fdef1ea49e69ac33c0882ba7373fba
SHA3-384 hash: 139cb3d68e2cb0814ba57e5825e92c77b1571721ac083e62d18e48c1116e620714cfc2c67df4471bb1e557bad4d8f9fa
SHA1 hash: 5a85e1cbe8d8a5ab4b30da066193b9f522dcc172
MD5 hash: c87c6b0428c659986b21ce84da8837ab
humanhash: alaska-fourteen-ten-finch
File name:93f9d8f95b515c1ec624f934ac92d08c29fdef1ea49e69ac33c0882ba7373fba
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'326'256 bytes
First seen:2020-11-11 11:25:08 UTC
Last seen:2020-11-15 23:03:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:8l82WT5OrwhwAZIuuHCVTvIL2be8lk/jt61ZS7P/AJpktj69j63hMH6FpfMHUN4:8C2GhhDXF7eBeh4faUN4
Threatray 138 similar samples on MalwareBazaar
TLSH F4553F4854A9638AD43733AD5B783881C3B4DA5772F8C9D3029CBBB1EE8DC359B71A05
Reporter seifreed
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
4
# of downloads :
57
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.59206.1113.9582.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93f9d8f95b515c1ec624f934ac92d08c29fdef1ea49e69ac33c0882ba7373fba/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 09:32:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sp45r6k3kfob5rre7e2kzewqrqu733y6uspgtlbtycecxjzxh65a._file
Verdict:
unknown
Similar samples:
0137042c076d728f11067b31394854e43724b1b588a65d0718d696ac2efd7f3f
AgentTesla
227d27fd9d93676327684653aa83d4edb058bfd0e49d270c00a1c7fa134b5648
AgentTesla
2800f779fcf9eb82626c08e19c5c2a46a149a1a0d046ef79c6c9ac1a44c6017e
AgentTesla
62dc9a9e902b11b0b7d081ec0ce5e8f60605d244a9abfcd03ef464f0058100ca
AgentTesla
657ce0145781e930d93e0cf3953390f98f22323be721a6d44db6342a44aea27f
AgentTesla
86b4bb9ea11ac97ecf7390c0e4e2979b69c294c22c65931ff734926c9540a0fd
AgentTesla
b2f7371dbc4fb27739f11a5fbf9aa878f118d1f8659025422bc614e7c5b60ff6
AgentTesla
b711fc441777905b534050ba32f04836a1a791dc4cfbf850b1ee7faecd6a82da
AgentTesla
daf3291e47f8659d58a505b5ed585987018001e08827f3aff1ab0bb860bd5c80
AgentTesla
f3a64adfa73627b8d56495d23a7e37a11870545b8a87e3d9687cad67679c11d2
AgentTesla
+ 128 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201111-hkfypth26j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
93f9d8f95b515c1ec624f934ac92d08c29fdef1ea49e69ac33c0882ba7373fba
MD5 hash:
c87c6b0428c659986b21ce84da8837ab
SHA1 hash:
5a85e1cbe8d8a5ab4b30da066193b9f522dcc172
Link:
https://www.unpac.me/results/f1c87ecb-0d8f-4ba1-87d7-9cabb4fae563/
SH256 hash:
46f37cdb9452c813492649b3bc569128fe6ad066be21ec7308cad25e7d6d92e3
MD5 hash:
29a4dfc5fb3c8abfe2a1735d51d4d06f
SHA1 hash:
3a7fdeac0a00310218483d3db4c13504817ebd48
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/f1c87ecb-0d8f-4ba1-87d7-9cabb4fae563/
Parent samples :
472f99476aec6f45e8f8ceb4b851cbb5bc3ad6385cc98fc26878f741487f9310
938f2bb4ae9732027302ba4fb2b0c77a15fe7dcd0a25696b307abb812b58ae17
42e1ef60a1b2d30c853dd33542a8faef4f414fa8eab3180ad1389cc6eab24d94
2d1bf9dab94ecd03dad9f64f433659ff280ca22e425647575801a81cc70f9023
93f9d8f95b515c1ec624f934ac92d08c29fdef1ea49e69ac33c0882ba7373fba
2445a4f2550fbb06d432b013f4e148ec9cf69657df3bcbb4c2dee79e415949af
bcf99b299260fd3ab82d02b8ab2f4f9e5dca8373b25902a9cb6b764d3a8308f3
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/f1c87ecb-0d8f-4ba1-87d7-9cabb4fae563/
SH256 hash:
d72cc5a2f195910b35b8177a0d8d41cdccf0ad4223003932b03a4d5772530b37
MD5 hash:
7c94b6851dba0a6b22f68c4d173cb5cb
SHA1 hash:
b89108be75447604b363eae7248372dc8d95fd87
Link:
https://www.unpac.me/results/f1c87ecb-0d8f-4ba1-87d7-9cabb4fae563/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments