MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a272ee0b70107d2e318321ecca3147425f663beb85f0f8dc80fbb21ba27c952a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a272ee0b70107d2e318321ecca3147425f663beb85f0f8dc80fbb21ba27c952a
SHA3-384 hash: aa90cfab2fc5ea22a5722a7ae29e225e92e8b24fa08991884fbea4029d85339c37b54b11ab04d5755c41ec8d8c4daf6b
SHA1 hash: 0a7be47d975221f1755330a19a45268aca69e75c
MD5 hash: fc0dd659935df6b88eb705ed5ff41f72
humanhash: apart-maine-red-princess
File name:SecuriteInfo.com.Trojan.PackedNET.854.8381.128
Download: download sample
Signature AgentTesla
Create hunting rule
File size:795'136 bytes
First seen:2021-06-21 02:53:32 UTC
Last seen:2021-06-21 04:52:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:eFF1s0Tz8SB9iI4B//vMSWFaVjPsfeACKqBw81W4BJmnWwmHhU0GI5EYXWFHfs:dSB9iI4ZvgmjPmo7jwkGI5LoH
Threatray 6'428 similar samples on MalwareBazaar
TLSH 8405C02039AE6109F57BAF795EE476F2967FBE237B07D81C10E4334A97239428B40539
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.854.8381.128
Verdict:
No threats detected
Analysis date:
2021-06-21 02:54:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d5f1a005-77ea-4a8e-b53d-51c2e70fcee0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.854.8381.128.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/918f0c51-eb7f-40fc-a523-a7e09511d39e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805025
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437436 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Yara detected AgentTesla 2->45 47 6 other signatures 2->47 6 SecuriteInfo.com.Trojan.PackedNET.854.8381.exe 3 2->6         started        10 kprUEGC.exe 2 2->10         started        12 kprUEGC.exe 1 2->12         started        process3 file4 23 SecuriteInfo.com.T...ET.854.8381.exe.log, ASCII 6->23 dropped 49 Writes to foreign memory regions 6->49 51 Allocates memory in foreign processes 6->51 53 Injects a PE file into a foreign processes 6->53 14 RegSvcs.exe 2 4 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 29 saitools.com 208.91.199.233, 49770, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 31 mail.saitools.com 14->31 25 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->25 dropped 27 C:\Windows\System32\drivers\etc\hosts, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 6 other signatures 14->39 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a272ee0b70107d2e318321ecca3147425f663beb85f0f8dc80fbb21ba27c952a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 02:54:11 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujzo4c3qcb6s4mmdehwmumkhijpwmo7lqxyprxea7ozbxit4suva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03f42b77429e6203cfd076d1f9a4a0a371a44ed083deba781a8914e79ae2d9b0
AgentTesla
14de52bb38d53f186e241de9156d51feb9e2d032f48fedc777693463513d5199
AgentTesla
43a41d6ef8788ee60b4fcf90d5741dae5dcf0a5d58f1b1f38bdf59298d2840bc
AgentTesla
4c83b9a705090f3edd4f8f1322ec609b7a04d59d03b390681c3708c61341eb1a
AgentTesla
7c38652e82dd9a34d66d7f2086b55bd88db405974eed27dc8ac5ba3f15616729
AgentTesla
8cbe20f02c27a802e43a868585c6662a4157e0365c22590727d36533315e451c
AgentTesla
9ecab8874967c53279d62d6fece35433adf4d296ac81d255e7ea61bea88d399a
AgentTesla
a71930554d697f91b4ab6456faddbecfb15c1ebaac574db9ec735aa995dd10ac
AgentTesla
b4bd99f8e845eb8989697730c4d42b4a405972fa010415d74356efa46b9b745c
AgentTesla
be4fed0d40623475b3ad736c732fdae9ec9532e5ecaf9d01152770240c419aa2
AgentTesla
+ 6'418 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210621-mjstfjyhla/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
641bc16f4a6a19243f9737c49568ea72168d93ac76dab5a6c643cb404db9cdec
MD5 hash:
91cc5ace96ba75d602d7461d5e4c48d7
SHA1 hash:
da0836f87898a422ac705052d903dfbc412ad3d8
Link:
https://www.unpac.me/results/d670d2c9-8923-437d-b120-462bf8560cb0/
SH256 hash:
e40f9d97d721c85b0f020780dab5010b0c595d58d6517eeca34ddf0cbbf0fd65
MD5 hash:
f6870aec4b400881a61619ce51aa8e5c
SHA1 hash:
c41fc52e06f5f575febda55e6da75b4699359b70
Link:
https://www.unpac.me/results/d670d2c9-8923-437d-b120-462bf8560cb0/
SH256 hash:
a6b7a8e26e7ee410b431ee7d20ff90e40497509c5ec735ac7e9b2630ecc12365
MD5 hash:
82fd894d686f0adb1888821f20d7fd2a
SHA1 hash:
95821b339429f5e96c5bd484d26aa26c0bb31cf2
Link:
https://www.unpac.me/results/d670d2c9-8923-437d-b120-462bf8560cb0/
SH256 hash:
a272ee0b70107d2e318321ecca3147425f663beb85f0f8dc80fbb21ba27c952a
MD5 hash:
fc0dd659935df6b88eb705ed5ff41f72
SHA1 hash:
0a7be47d975221f1755330a19a45268aca69e75c
Link:
https://www.unpac.me/results/d670d2c9-8923-437d-b120-462bf8560cb0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a272ee0b70107d2e318321ecca3147425f663beb85f0f8dc80fbb21ba27c952a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments