MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a35495ca447272d3acd4164b73c1f6e881bd0dc854f7953b4047dc79d273c268. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a35495ca447272d3acd4164b73c1f6e881bd0dc854f7953b4047dc79d273c268
SHA3-384 hash: 85e7ef12a7b35064e2bcb92774c5c27168feead593a17b79bf2f63c960fbcd43c1562020ad49af1ec833c9aab9d4f9ed
SHA1 hash: 5cad49a1dd5da9f40bc490170546132680ccb2a2
MD5 hash: f90f7228f33accb6b44274c6c07cf511
humanhash: enemy-michigan-white-oven
File name:a35495ca447272d3acd4164b73c1f6e881bd0dc854f7953b4047dc79d273c268
Download: download sample
Signature AgentTesla
Create hunting rule
File size:303'104 bytes
First seen:2021-01-21 11:29:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:fF5Q4ZNT92iA8TWSXePRRJzzEOQ8p9jOyMFQS82byUIaYYbwTKI5/DX85JopCino:9esP2eCJPzJz6cwyMGSZycYYbweI5/Dc
Threatray 2'232 similar samples on MalwareBazaar
TLSH 60540210A7CE007EDA7417328BE26D010DAFF8091D6F976E5EBA53CD5A1712E49A0F27
Reporter madjack_red
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Virus heuristic.heuragen.1133542 RE RECONFIRM ODER FOR PAYMENT.msg
Verdict:
Suspicious activity
Analysis date:
2021-01-20 14:10:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/00b17fa1-81b0-41c5-bada-4b338dd8303d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113270/
Detection(s):
Porcupine.Generik.BPLXDXM.99439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Connection attempt
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/587166
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342606 Sample: 2Dd20YdQDR Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 5 other signatures 2->51 6 2Dd20YdQDR.exe 2 2->6         started        10 kprUEGC.exe 2 2->10         started        12 kprUEGC.exe 1 2->12         started        process3 dnsIp4 31 192.168.2.4, 443, 49228, 49285 unknown unknown 6->31 53 Writes to foreign memory regions 6->53 55 Allocates memory in foreign processes 6->55 57 Injects a PE file into a foreign processes 6->57 14 RegAsm.exe 2 4 6->14         started        19 WerFault.exe 23 9 6->19         started        21 conhost.exe 10->21         started        23 conhost.exe 12->23         started        signatures5 process6 dnsIp7 33 us2.smtp.mailhostbox.com 208.91.198.143, 49768, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->33 35 192.168.2.1 unknown unknown 14->35 25 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->25 dropped 27 C:\Windows\System32\drivers\etc\hosts, ASCII 14->27 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->39 41 Tries to steal Mail credentials (via file access) 14->41 43 7 other signatures 14->43 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->29 dropped file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a35495ca447272d3acd4164b73c1f6e881bd0dc854f7953b4047dc79d273c268/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 08:27:24 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=unkjlsseojznhlguczfxhqpw5ca32doikt3zko2ai7ohtuttyjua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
1e43a9cb578534543e39c04879feed5a1d9af3f58ab4c60f306bbedcb2be1470
AgentTesla
53199d2d6d3d21f6a1549eb84faa73b98e68c3c0c4ca31889852a10277125e3a
AgentTesla
559ac8d4a0d12e54467002c83f33cf63f01158a729ff2143b68a5ec42b8535ad
AgentTesla
7a39af512f69ee9235b6b5e199beb2313a42ce4d6ec9b610c6e54a131c415bd8
AgentTesla
8905819fcaa0d71e50cc1ec90e32258967e011878efb78f8db8893ad04a98174
AgentTesla
98712ca737a8d8cddc09bd41dbae64ccc816d5a846da270615108bac7023e19d
AgentTesla
a84f11e95b767a018ebd535c055ce9dd39d0ab23bf563312092662cd8cedf00b
AgentTesla
acf949e60ec1fa015f83ea1d7caa8810bc0ccb28b99cab88f3d162819a526cab
AgentTesla
e40b50918c860d686479a98167208e4104471d38708d82f267b4cedc4242ace2
AgentTesla
+ 2'222 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210121-6kgvta1z36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/54dde95e-f641-48c5-aa3a-db45f2a765e8/
SH256 hash:
948c5138a6a4aa986e245b41ef859f54a6aface525a8c9863b531069a6cfdbe1
MD5 hash:
4e77fa4bbc59cd9ee36594e02776c70c
SHA1 hash:
bca91e26c3135bea3fb0b32f3768583dec0afdab
Link:
https://www.unpac.me/results/54dde95e-f641-48c5-aa3a-db45f2a765e8/
SH256 hash:
514af7d5407788ee7589b08baca065d20829ee2a1bde4f92e0b11bf52e34a3b4
MD5 hash:
1cff2d32989aaa1c632f44efdf9aa2e4
SHA1 hash:
80f6a535747b5e93cd316e4dc29b79b4bad2cef9
Link:
https://www.unpac.me/results/54dde95e-f641-48c5-aa3a-db45f2a765e8/
SH256 hash:
a35495ca447272d3acd4164b73c1f6e881bd0dc854f7953b4047dc79d273c268
MD5 hash:
f90f7228f33accb6b44274c6c07cf511
SHA1 hash:
5cad49a1dd5da9f40bc490170546132680ccb2a2
Link:
https://www.unpac.me/results/54dde95e-f641-48c5-aa3a-db45f2a765e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a35495ca447272d3acd4164b73c1f6e881bd0dc854f7953b4047dc79d273c268

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113270/

Comments