MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96aa64a34e614014eec56b7c113d7e67ab03ebca68cf3e866025b7109f917ef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	96aa64a34e614014eec56b7c113d7e67ab03ebca68cf3e866025b7109f917ef9
SHA3-384 hash:	11ba3cf043fcbc821bb25af4efedb911f16b7247ea0740afb004f93c690ca453b855fda2dd09a70afb9e2be84be1c45e
SHA1 hash:	79e5b552ee18ae73ab414077408d29475a252891
MD5 hash:	43760d04c72a063a5362e59348d637f2
humanhash:	magnesium-arkansas-music-johnny
File name:	Confirmación de pago .exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	941'056 bytes
First seen:	2021-07-29 17:33:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:K2pchHng4FczV7iS/d348a/eeLFTEvwvO4VeqKKEnE5yBQqXu8YEbcsYI+T3c0ol:HcBg4FssS/d36qYv9VeVBH6EAOYUc
Threatray	7'589 similar samples on MalwareBazaar
TLSH	T1E415BE2085CCEB9DD8BE0374176C0274AFF0A942E1B0EF686F5545B4AC91B61F6BE346
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Confirmación de pago .exe

Verdict:

Suspicious activity

Analysis date:

2021-07-29 17:34:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5e3dbbf1-dc96-43ec-a983-6d97d40a70f5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/541b77bc-a20d-456c-9754-d4b47adc2077

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824051

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/96aa64a34e614014eec56b7c113d7e67ab03ebca68cf3e866025b7109f917ef9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-29 17:34:08 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s2vgji2omfabj3wfnn6bcpl6m6vqh26kndht5btaew3rbh4rp34q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

3eb96d835551fac79bfeb45e22e7ca9323b0c6ab62e0272f6cb83cd278509ed8

AgentTesla

51af0a175f8c7ef9d3e6b06b54ed1c8b4175f21ebac90816c6c36fd0e62ef654

AgentTesla

542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def

AgentTesla

7fb4a26d9f2c3a08c69d7f5838b7f88d8c6f31ab2aa69b130b150449baaea7ad

AgentTesla

b9bdecad95f12652d5836428a1b1fe94467156f0d7c2743101b1350961da720c

AgentTesla

d4a486d6eb6ff402162a440e49cb53777c2a3a0e98abb04016e189cd445676a2

AgentTesla

+ 7'579 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210729-bs5v7n8l66/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

CustAttr .NET packer

AgentTesla

Unpacked files

SH256 hash:

e7e43a1a41d17faca31a0a0e089dea7375b1c94af586fe7b7f402b6f73eb934e

MD5 hash:

262eaac18d684cb9861a82767bfcd5c9

SHA1 hash:

76a0d664ba21bc7fab21f89bd03609a07e90e105

Link:

https://www.unpac.me/results/677cba19-38ca-4732-8f50-3d8213805f31/

SH256 hash:

97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438

MD5 hash:

68463851c0e6fe7a254c99fae763d454

SHA1 hash:

4587a5371d88c296a0184fe47ee0c5245b187127

Link:

https://www.unpac.me/results/677cba19-38ca-4732-8f50-3d8213805f31/

SH256 hash:

11d3e095bb9527d8cb38b17c9bd011144bf6940a311bdbee30a299514547939d

MD5 hash:

df019dadd77e47bd987f56cd972c09c5

SHA1 hash:

3728be3e8647acc864d47f1a8eebd7bdc1aafb13

Link:

https://www.unpac.me/results/677cba19-38ca-4732-8f50-3d8213805f31/

SH256 hash:

96aa64a34e614014eec56b7c113d7e67ab03ebca68cf3e866025b7109f917ef9

MD5 hash:

43760d04c72a063a5362e59348d637f2

SHA1 hash:

79e5b552ee18ae73ab414077408d29475a252891

Link:

https://www.unpac.me/results/677cba19-38ca-4732-8f50-3d8213805f31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/96aa64a34e614014eec56b7c113d7e67ab03ebca68cf3e866025b7109f917ef9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample