MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 997c40ac1a3c09d89fc267d8e342f65d104cedbef573e15cc84a68a3e85e2b70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 997c40ac1a3c09d89fc267d8e342f65d104cedbef573e15cc84a68a3e85e2b70
SHA3-384 hash: 77879c8b2db4fd6f5240b0c6d638db43af2de5d5b142ec6437b7df44e37504bc20b8ecd2598fe5c13e4b5cae05db73e0
SHA1 hash: c3c4c9009a46e144502e1767a99e27089d50b53b
MD5 hash: bf82b1075bccd20ef4e6451b4fd925f0
humanhash: zebra-uranus-don-one
File name:PO#453882.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'071'616 bytes
First seen:2021-05-03 05:40:14 UTC
Last seen:2021-05-03 06:02:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:8hoLAtPObFQndqAHWr0gp9FeAAWHyW3yd2OluON4fA9uC2:Jb2dNWTBewSW3yd2OluON4fA9uP
Threatray 4'403 similar samples on MalwareBazaar
TLSH 0A356BF876009AF0E2171872A3CB4C1342122D78E92F554A9711773A5E7FE533DBA9CA
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148178/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707343
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402592 Sample: PO#453882.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 6 other signatures 2->66 7 PO#453882.exe 6 2->7         started        11 Appdata.exe 5 2->11         started        13 Appdata.exe 4 2->13         started        process3 file4 44 C:\Users\user\AppData\Roaming\zaIGjEJw.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmpC6FF.tmp, XML 7->46 dropped 48 C:\Users\user\AppData\...\PO#453882.exe.log, ASCII 7->48 dropped 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 7->74 15 PO#453882.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        76 Multi AV Scanner detection for dropped file 11->76 78 Injects a PE file into a foreign processes 11->78 22 schtasks.exe 1 11->22         started        24 Appdata.exe 11->24         started        26 Appdata.exe 11->26         started        28 schtasks.exe 13->28         started        30 Appdata.exe 13->30         started        32 Appdata.exe 13->32         started        signatures5 process6 dnsIp7 50 smtp.privateemail.com 199.193.7.228, 49762, 49763, 587 NAMECHEAP-NETUS United States 15->50 40 C:\Users\user\AppData\Roaming\...\Appdata.exe, PE32 15->40 dropped 42 C:\Users\user\...\Appdata.exe:Zone.Identifier, ASCII 15->42 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->52 54 Tries to steal Mail credentials (via file access) 15->54 56 Tries to harvest and steal ftp login credentials 15->56 58 2 other signatures 15->58 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 28->38         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/997c40ac1a3c09d89fc267d8e342f65d104cedbef573e15cc84a68a3e85e2b70/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tf6ebla2hqe5rh6cm7mogqxwluiez3n66vz6cxgijjukh2c6fnya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1339a751e36cce726e3d808cfad7cd81c7f0712103a9c26a65acaf8c573f97b5
AgentTesla
15b7e016d58fd18d0f7eb8f578ba217b9aaac7367c0eddd7a545f9d98d49e288
AgentTesla
28b8b2a27c23003085e868930effb3f53adb96a1665e3248ac8b21be405aa7dc
AgentTesla
92d9b1922bebbb60f7ca75eb99220f92bbdf687af32a4a966ec90fd562dfe96e
AgentTesla
961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0
AgentTesla
bd021089d05bee433a76c55dd186d23261a7232e55ea540c9fd63f4403071a66
AgentTesla
d3ab51dd012ef279251684ea215a050cfe913de2237daeebfbb2d52ceb5c896b
AgentTesla
d7b90e9350a4f773e9c222d0fa4be16b8df2b24313fa1da2b2f40cc1156f7580
AgentTesla
f4ca4b6592ae781af7585c76f6a922e5c88340df7164f07fdb3a6aa85dbfaeb5
AgentTesla
ff8234f15bed2f627188eb75fa895da33137fc3c417c37cbb450074ae5a4c34e
AgentTesla
+ 4'393 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210503-l7yap269te/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/48aadc2c-3522-45cb-9480-cfa7f5cec65a/
SH256 hash:
07e0714b8249309ba22b7df0c04c6cebaa2214a50269a63b556cad56defd34de
MD5 hash:
a4b91c58559003591102362c7cf17fec
SHA1 hash:
bf04db5c86c63241476890c403b8a158ffc6c9ce
Link:
https://www.unpac.me/results/48aadc2c-3522-45cb-9480-cfa7f5cec65a/
SH256 hash:
b1eba803c1f2960c2cc022b4c4db645c4e78c4f7db982fcbed788d80b88daa3a
MD5 hash:
237f7c77ecc425a7cbe310eb5b1d8837
SHA1 hash:
b15efad70d4b7ff1b3d2ddf5b4b8a9a67b98c31a
Link:
https://www.unpac.me/results/48aadc2c-3522-45cb-9480-cfa7f5cec65a/
SH256 hash:
997c40ac1a3c09d89fc267d8e342f65d104cedbef573e15cc84a68a3e85e2b70
MD5 hash:
bf82b1075bccd20ef4e6451b4fd925f0
SHA1 hash:
c3c4c9009a46e144502e1767a99e27089d50b53b
Link:
https://www.unpac.me/results/48aadc2c-3522-45cb-9480-cfa7f5cec65a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/997c40ac1a3c09d89fc267d8e342f65d104cedbef573e15cc84a68a3e85e2b70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148178/

Comments