MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 985bab9e10b690bc2c378a3bf510f89746edfda88e33a3a393bda12e6d040fdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	985bab9e10b690bc2c378a3bf510f89746edfda88e33a3a393bda12e6d040fdc
SHA3-384 hash:	6e29a8df92b65900504423d00beddcdec54973cc19d44e275b4318c95ac92a76f6ab5ab6172a7cca2c181909c652ae6e
SHA1 hash:	209a0b9c23639d458a5f3d30d0a7c551263fc4d4
MD5 hash:	86b0e5c5efcbe30bfa13ef7ff09ae3a3
humanhash:	london-cardinal-fifteen-bulldog
File name:	ago.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	221'184 bytes
First seen:	2020-11-16 15:14:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:aGWvWwLCOEVrtNcRY0UCPe6v515Eule81cuAbyLT4iHQolOvQwjetDlGW:a8ra5UsR1ePwHQolxMqDl
Threatray	1'235 similar samples on MalwareBazaar
TLSH	60242A1A6715D411CB6F417FC016820831F1D707A72AD78F5AA6D8FA2F812CEF92B8E5
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Razy-9768966-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/538031

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/985bab9e10b690bc2c378a3bf510f89746edfda88e33a3a393bda12e6d040fdc/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-11-16 15:13:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tbn2xhqqw2ilylbxri57kehys5do37niryz2hi4txwqs43ieb7oa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1596485ee8331651ad1cf0e3b2bbff49bea4be5f8b1b051e6e520582b73b36f9

AgentTesla

222af506bee8af177dc09a2f709208725bf5823f145fd9f5b10340e203f402da

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

7d69ecaf108320a941b846030a0438843d5cc4ea8067807b7db4b783c1fffa60

AgentTesla

83b29de5935d98be775a17ab0d062e0bad44935cf7f7e24db5c184796bccfcb4

AgentTesla

8bcb63b65e1e1169e4212f656871db5fd33e5a8cffded5009b74471bb40f5b51

AgentTesla

bf310f0ae72ab1080c4967aca8ecebcf6e2c56cc7a3672c3b3e602c03870aad9

AgentTesla

cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3

AgentTesla

d786c5ecc0fd677c853ccc3bcff9136d7b15b1342ffd929188826e1a38d75e04

AgentTesla

+ 1'225 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201116-xygpfyknma/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

985bab9e10b690bc2c378a3bf510f89746edfda88e33a3a393bda12e6d040fdc

MD5 hash:

86b0e5c5efcbe30bfa13ef7ff09ae3a3

SHA1 hash:

209a0b9c23639d458a5f3d30d0a7c551263fc4d4

Link:

https://www.unpac.me/results/eee0b631-9d60-4dcb-add2-91c30ad69e42/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample