MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6
SHA3-384 hash:	753e9266b9813614d9e960747feb70a77d4ebba38ae1d640103a3ee77134f842b7b42d6569664e9a0d03328b3670383f
SHA1 hash:	177133d1b3a5bd9f08c25fd02f4142fc0a3bee67
MD5 hash:	a40025264cf491797afb407d4e14583d
humanhash:	october-triple-pizza-apart
File name:	Scan002519332020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	477'696 bytes
First seen:	2020-12-03 07:32:46 UTC
Last seen:	2020-12-03 10:26:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'631 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:m53kKEf+1eAYd/smGVnzL7eP4VL5yV/Vn:mRkp+YVkBVnBx5o/h
Threatray	1'625 similar samples on MalwareBazaar
TLSH	60A402323288BA6AEDB60EB0646436840EB579775778D5CCBC84118E69F3705EF50EB3
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/106512/

Detection(s):

SecuriteInfo.com.ArtemisA40025264CF4.4991.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/554338

Signature

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6/

Threat name:

ByteCode-MSIL.Backdoor.NanoBot

Status:

Malicious

First seen:

2020-12-03 07:33:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

34 of 46 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tmqqiv4wyfoegshxssb4qjmifrer3ychudffo7qow25hodda5h3a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

16f1bf8a4f24dc03e6ca823c6e6c2e53ec5b26cf1cdaa773fd04e827fb0cc8ea

AgentTesla

589a46cddd84b26fc3828e368268390daaf25f2c8a3e6f5ab9b8e4125e6a1b7b

AgentTesla

5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae

AgentTesla

76c7edf5852cfb7559a3886e0df7dee4422a624403630a60b7584bbd050c89b6

AgentTesla

97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a

AgentTesla

a0b6256a49a8f7f4c2d1d362f49b996de971d49e852a0c58e7e0c821e99821ca

AgentTesla

ab8e2a26102373b3323a707765f04a267c1630a1123068acbc3acc779276cdf7

AgentTesla

c1e775844ae65d163fef7ec92e2d48ab4fd36ec5412999a5cba1c85ef0edd105

AgentTesla

d5e67d8afe482552613fba4bb051266e15a3f0325956154014047ea92ff7e77f

AgentTesla

+ 1'615 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201203-25ebmtk3ys/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6

MD5 hash:

a40025264cf491797afb407d4e14583d

SHA1 hash:

177133d1b3a5bd9f08c25fd02f4142fc0a3bee67

Link:

https://www.unpac.me/results/370f5aa9-bb82-4230-b1e0-ad9b93a1c75e/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/370f5aa9-bb82-4230-b1e0-ad9b93a1c75e/

SH256 hash:

d24af6589eb859b19d55276e45dc21393244e0699e64276f6997e4cf3fdabfa2

MD5 hash:

2c3cadf31cf901db01c33b06f7506a06

SHA1 hash:

6b142d388ed638dda8fac43dc3a170ee6cc2d76a

Link:

https://www.unpac.me/results/370f5aa9-bb82-4230-b1e0-ad9b93a1c75e/

SH256 hash:

09a532eea80cc419f1f0b1bb124fbb54401d963dbabda7542269b80b528491e4

MD5 hash:

ca180bdcfbcdaed8901d4ba4212657eb

SHA1 hash:

7be446dba6e8083ec4da54871972644f55ca10b7

Link:

https://www.unpac.me/results/370f5aa9-bb82-4230-b1e0-ad9b93a1c75e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 64fc387d24a2aed033f14158b4a956df8f034561a6273db8f19b2967425506bb

AgentTesla

exe 9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6

(this sample)

Delivery method

Other

Dropped by

SHA256 64fc387d24a2aed033f14158b4a956df8f034561a6273db8f19b2967425506bb

Cape

https://www.capesandbox.com/analysis/106512/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample