MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a191e465282f74cfe89c9ff81221e0a898bba147efe894a9110f9e3474dbe5ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a191e465282f74cfe89c9ff81221e0a898bba147efe894a9110f9e3474dbe5ed
SHA3-384 hash: f50eb87a86c3557279a76a89a8c8f02899a348c4d4ebecf9207a86150225dd49362947999b8f65c3000c1eaa3e29faa4
SHA1 hash: 35a0a96f0655f0d90b73690a79e5b7422e1d4fdd
MD5 hash: a383e1dd44485e175e4610768926aa46
humanhash: august-item-zulu-beer
File name:a383e1dd44485e175e4610768926aa46.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:501'871 bytes
First seen:2021-06-25 07:07:44 UTC
Last seen:2021-06-25 08:13:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 6144:TTqjFcYOkn/A5PEEBkdZ5gRhm5mbX0mMswKNLB048j18:HLk/A5PpB4CRD7MfKNR8j18
Threatray 7'139 similar samples on MalwareBazaar
TLSH 3FB4C7212E4F5816CBE2EAB729154F79BDE574CEB5857C131B40ABA234319F2C783263
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a383e1dd44485e175e4610768926aa46.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 07:09:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa9ba975-9af7-41a3-90d6-279b4d524337

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168249/
Detection(s):
SecuriteInfo.com.Trojan.Loader.846.20826.2469.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fab41185-18ed-4a14-822e-60c5e0b0f35c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807964
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a191e465282f74cfe89c9ff81221e0a898bba147efe894a9110f9e3474dbe5ed/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 21:22:37 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugi6izjif52m72e4t74beipavcmlxikh57ujjkirb6pdi5g34xwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d7cd1a6e4c7bb4243c85103c5db3d2473bb5e3b486e59bbbd8f695b2787a69a
AgentTesla
4277fde72512aedcd199bfe2d51f005870a4c947dc4faa5c9806992b1af37c2c
AgentTesla
5f69b0d9184e628599c369a252d7e96325c989fe12c9b3298273ca673a01a6c1
AgentTesla
687c0d0a7968f15884824b2b4144a19342e61f7ff65ad0eee82191f09731f95d
AgentTesla
6dda8584a5682afdc017e2e421619b02fc9f57a67de615332797b3e96981864d
AgentTesla
84953a98465f15151a773268a00ac8f73ebe39c14631467f6c468f1e1855cc48
AgentTesla
877fff8539be4c6f8c01fc67ef76f38927f6dae2002744c0cda442917564cdd5
AgentTesla
a8fff516d9fd0acae0f2e6809dfa1d719b1257dcd09e9378f411c8685c77a3f5
AgentTesla
b2591ab91ce60fe508b9b816367c233af1c9c584aa72c5857fdbc8376b68ea62
AgentTesla
fd81870ea6455334808d4a13d1f061c24391fd607bf5a4b40f9b35ead1ab4050
AgentTesla
+ 7'129 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210625-vqkgnwmcks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/a1835091-d308-40e8-82f2-754b53b5a00b/
SH256 hash:
2d0d5d235bf15433e38042494efdd03a5ac6492cd4f1f771e69a61b53db09c0f
MD5 hash:
a4a586ed30dcbde403887ee9f2be4b90
SHA1 hash:
afa158a0b96803e2ef7c9e5844c30da437924115
Link:
https://www.unpac.me/results/a1835091-d308-40e8-82f2-754b53b5a00b/
SH256 hash:
9f19b43cc5ab9472922ba62e56563afc0c84a905e099d69e0daf294928539bce
MD5 hash:
ae12a87384527e0f763f61ea472bc6fc
SHA1 hash:
5a66e7c60eb7014581ee8fb46eb6c7c963a3bd6b
Link:
https://www.unpac.me/results/a1835091-d308-40e8-82f2-754b53b5a00b/
SH256 hash:
a191e465282f74cfe89c9ff81221e0a898bba147efe894a9110f9e3474dbe5ed
MD5 hash:
a383e1dd44485e175e4610768926aa46
SHA1 hash:
35a0a96f0655f0d90b73690a79e5b7422e1d4fdd
Link:
https://www.unpac.me/results/a1835091-d308-40e8-82f2-754b53b5a00b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a191e465282f74cfe89c9ff81221e0a898bba147efe894a9110f9e3474dbe5ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a191e465282f74cfe89c9ff81221e0a898bba147efe894a9110f9e3474dbe5ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393816/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168249/

Comments