MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a04979ab597b661bbc3b05d8182a886ef390e7127dcef4d2fb044cd720f1e781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a04979ab597b661bbc3b05d8182a886ef390e7127dcef4d2fb044cd720f1e781
SHA3-384 hash: 48accddad1931366baa0677ca3e3f44d28416672eea2c4cdd6099dae15f4416ea314b3bc563f477b5e9dbad25661c96a
SHA1 hash: b2f1cc7a16eb8004836686349b9697e7d0000348
MD5 hash: c0724a5c274680516eee8e6ce502bcbe
humanhash: indigo-missouri-alaska-stairway
File name:c0724a5c274680516eee8e6ce502bcbe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:690'688 bytes
First seen:2021-10-05 14:00:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:r4objDh5mB0yTu8pta9jAMZUepWyxP9bMJT6YashlM0JT6YashlM:ME/hEpTnHCpWynbI9ashlV9ashl
Threatray 10'770 similar samples on MalwareBazaar
TLSH T16CE4E09C636F8510FDBA43F6787060905BB2B4262466C73DAF8024FDEC627E58E95723
File icon (PE):PE icon
dhash icon 0c32b232d3c8c453 (49 x AgentTesla, 21 x Loki, 4 x Formbook)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0724a5c274680516eee8e6ce502bcbe
Verdict:
Malicious activity
Analysis date:
2021-10-05 14:07:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92dec649-d4a3-41e5-a03d-838cdd939864

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195097/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c5aa0b95458900cdc78a9/reports/a44309b5-5380-475d-8122-2f9d0dac297b/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c12d83e-8f3c-43fe-a05b-033dd4d5fe4f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864868
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497302 Sample: hL7hZTsRDc Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 5 other signatures 2->62 7 hL7hZTsRDc.exe 7 2->7         started        11 BnevyAj.exe 4 2->11         started        13 BnevyAj.exe 3 2->13         started        process3 file4 36 C:\Users\user\AppData\Roaming\LwiNXb.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp7BB9.tmp, XML 7->38 dropped 40 C:\Users\user\AppData\...\hL7hZTsRDc.exe.log, ASCII 7->40 dropped 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 7->68 15 hL7hZTsRDc.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        70 Multi AV Scanner detection for dropped file 11->70 72 Injects a PE file into a foreign processes 11->72 22 schtasks.exe 1 11->22         started        24 BnevyAj.exe 2 11->24         started        26 BnevyAj.exe 11->26         started        signatures5 process6 dnsIp7 42 wallaceseymour.co.uk 95.215.225.28, 49842, 587 M247GB United Kingdom 15->42 44 mail.wallaceseymour.co.uk 15->44 46 192.168.2.1 unknown unknown 15->46 32 C:\Users\user\AppData\Roaming\...\BnevyAj.exe, PE32 15->32 dropped 34 C:\Users\user\...\BnevyAj.exe:Zone.Identifier, ASCII 15->34 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Tries to steal Mail credentials (via file access) 15->50 52 Tries to harvest and steal ftp login credentials 15->52 54 2 other signatures 15->54 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a04979ab597b661bbc3b05d8182a886ef390e7127dcef4d2fb044cd720f1e781/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 11:27:00 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4429d5de4d9e544c06beba52b737a29e93ae559002e0aaacf532839678cdf7db
AgentTesla
45107c3a3f9ed2f7d5beec0ac10eacc2bf90da8ddcaf9e279337dce1b5abde0d
AgentTesla
82e86d82b4d3492465f83d7c46a834488b45ee7de90200c141f54bca128c508d
AgentTesla
c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363
AgentTesla
dd2262c470cbff3cef7f965e0c457de414eb71bb0ad94ffc2d64aef577462d14
AgentTesla
e16e6f37d6df72bd04dfe215d5ae485ff783423c82514d95926947050244b06b
AgentTesla
e40736bc19f0008189f281f42cdfddf5bcf6a8c70a89e7bccd0aa0eb797edd22
AgentTesla
+ 10'760 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211005-rbjzjshhd5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c443cd47b0c64c97847ae09d88014ae442f49bbd57f0fd72bb036c347bb53c3d
MD5 hash:
5e5f65e639bde3eb7fe291b1913233b6
SHA1 hash:
e97e75fdbc53a2b4c9d75aa92d660747f42bb116
Link:
https://www.unpac.me/results/b0252618-bee2-43b9-bb0c-f91e39bf4a8e/
SH256 hash:
defd2249102410c0c6cdac49daac04688f86032542d732c941ebaeec81c8f853
MD5 hash:
63a070e295fc44f7c257a3ccf5343a24
SHA1 hash:
c0b64caddbac446d348f92cb2f9b649be8cd1237
Link:
https://www.unpac.me/results/b0252618-bee2-43b9-bb0c-f91e39bf4a8e/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/b0252618-bee2-43b9-bb0c-f91e39bf4a8e/
SH256 hash:
a04979ab597b661bbc3b05d8182a886ef390e7127dcef4d2fb044cd720f1e781
MD5 hash:
c0724a5c274680516eee8e6ce502bcbe
SHA1 hash:
b2f1cc7a16eb8004836686349b9697e7d0000348
Link:
https://www.unpac.me/results/b0252618-bee2-43b9-bb0c-f91e39bf4a8e/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a04979ab597b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a04979ab597b661bbc3b05d8182a886ef390e7127dcef4d2fb044cd720f1e781

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a04979ab597b661bbc3b05d8182a886ef390e7127dcef4d2fb044cd720f1e781

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1655907/
Cape
Cape
https://www.capesandbox.com/analysis/195097/

Comments


Avatar
zbet commented on 2021-10-05 14:00:41 UTC

url : hxxp://198.12.84.79/0789/vbc.exe