MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96036d8808f95f6746d1d95dc3f157b5b7b4224cc5d01b15162ce7f048d81be7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	96036d8808f95f6746d1d95dc3f157b5b7b4224cc5d01b15162ce7f048d81be7
SHA3-384 hash:	d5a7b1ceec302aacaada1d6cd769d283bd15e745658f30214b524465ff65fb1955ee5e59ec0d044acee7f12ea8dee12a
SHA1 hash:	a8aa76af30bf0db881c18f82213adbf047291f7e
MD5 hash:	5fe7e8ac93482b6015fcf5796f344292
humanhash:	river-seventeen-lamp-failed
File name:	aMrIsacjClGbmOJ.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	741'376 bytes
First seen:	2020-11-17 22:43:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'650 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:Wct/+DZUog2/bt8LFUcc6+qHfROL0ajxcy3M4EMn2f8LlH23lY:sD/x8J+q/sL5aGMJVKRWlY
Threatray	1'345 similar samples on MalwareBazaar
TLSH	8AF4D0312675BF92D2BE0BF4C162A0480FFAA66B641DE69C1DD505DF14B0F094E42EBB
Reporter	neoxmorpheus1
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Using the Windows Management Instrumentation requests

Creating a window

Unauthorized injection to a recently created process

Moving of the original file

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/539917

Signature

.NET source code contains very large array initializations

May check the online IP address of the machine

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/96036d8808f95f6746d1d95dc3f157b5b7b4224cc5d01b15162ce7f048d81be7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-17 22:20:40 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sybw3cai7fpworwr3fo4h4kxww33iismyxibwfiwftt7asgydptq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

137786f20b01ea831020cafde76ca06e6bdb2304525692aa46a7b98207b6bd93

AgentTesla

14fbd7283be9da4d0fe9736a3a86b1b779b4c4abdb077f0647625fd5ad8068ec

AgentTesla

320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e

AgentTesla

50737e711d6a55fe1c6e2289526e2d970a263ab033d93015b52a9fd2e3c5df58

AgentTesla

5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae

AgentTesla

65914c4a71b3670aacb5f165076d8f7f6542be80661727fb6d5d8038c9f13e4d

AgentTesla

a7df178348dd3563a0a0a44ec82af4b6bc15bf352337ef690fac078cfee6ec49

AgentTesla

c7c371104c985df2506b6f9b0e4133e61c96e45d9f96a9961369d52e9f9f972b

AgentTesla

fd487c8892d4d57d7efa830b72648b2c5234ba09a0dfdced267bf5943a1861a5

AgentTesla

+ 1'335 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201117-xpd2x5zy2a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Modifies service

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample