MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed
SHA3-384 hash: e71604a56d4c4e8ddba03c28eea67b287d14d0060affb061e004eb6256c084d5c89cc41bfeafa2e5298acf398db6a678
SHA1 hash: c878a3e521a3c20b74df4d550feecc6ad6e2e2d8
MD5 hash: f09473c989db69c4c35f2f5a23094ae7
humanhash: alabama-lactose-december-king
File name:44000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:837'312 bytes
First seen:2021-03-16 14:56:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep 12288:GENN+T5xYrllrU7QY67eW0yACVMTTKytMnxwumfAnY6Qhq/9mOurXD:K5xolYQY6syZsTKyagfAn2hKkrz
Threatray 5'468 similar samples on MalwareBazaar
TLSH E705BFBBF900505EE8A782F0182795A6BD271C6E47E19C0F26E17B1635B2113B1BE71F
Reporter madjack_red
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44000.exe
Verdict:
Malicious activity
Analysis date:
2021-03-16 15:39:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/43750b5f-0441-40c6-a46e-e47e497dddf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Swisyn
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8046e1d6-099f-4967-b411-45f2a567180d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640857
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369404 Sample: 44000.exe Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 82 smtp.ionos.com 2->82 100 Found malware configuration 2->100 102 Antivirus detection for dropped file 2->102 104 Antivirus / Scanner detection for submitted sample 2->104 106 13 other signatures 2->106 12 44000.exe 1 4 2->12         started        16 hujaxx.exe 2->16         started        signatures3 process4 file5 76 C:\Users\user\Desktop\44000.exe, PE32 12->76 dropped 78 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->78 dropped 144 Installs a global keyboard hook 12->144 18 icsys.icn.exe 3 12->18         started        22 44000.exe 1 14 12->22         started        80 C:\Users\user\AppData\Local\...\wyvxz.dll, PE32 16->80 dropped 146 Detected unpacking (changes PE section rights) 16->146 148 Detected unpacking (creates a PE file in dynamic memory) 16->148 150 Detected unpacking (overwrites its own PE header) 16->150 152 4 other signatures 16->152 24 hujaxx.exe 16->24         started        signatures6 process7 file8 64 C:\Windows\System\explorer.exe, PE32 18->64 dropped 108 Antivirus detection for dropped file 18->108 110 Machine Learning detection for dropped file 18->110 112 Drops executables to the windows directory (C:\Windows) and starts them 18->112 116 2 other signatures 18->116 26 explorer.exe 3 17 18->26         started        66 C:\Users\user\AppData\Roaming\...\hujaxx.exe, PE32 22->66 dropped 68 C:\Users\user\AppData\Local\...\wyvxz.dll, PE32 22->68 dropped 114 Maps a DLL or memory area into another process 22->114 31 44000.exe 6 22->31         started        signatures9 process10 dnsIp11 84 vccmd03.googlecode.com 26->84 86 vccmd02.googlecode.com 26->86 90 6 other IPs or domains 26->90 72 C:\Windows\System\spoolsv.exe, PE32 26->72 dropped 74 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 26->74 dropped 128 Antivirus detection for dropped file 26->128 130 System process connects to network (likely due to code injection or exploit) 26->130 132 Creates an undocumented autostart registry key 26->132 142 3 other signatures 26->142 33 spoolsv.exe 2 26->33         started        88 smtp.ionos.com 74.208.5.2, 49766, 49769, 49772 ONEANDONE-ASBrauerstrasse48DE United States 31->88 134 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->134 136 Tries to steal Mail credentials (via file access) 31->136 138 Tries to harvest and steal ftp login credentials 31->138 140 Tries to harvest and steal browser information (history, passwords, etc) 31->140 file12 signatures13 process14 file15 62 C:\Windows\System\svchost.exe, PE32 33->62 dropped 92 Antivirus detection for dropped file 33->92 94 Machine Learning detection for dropped file 33->94 96 Drops executables to the windows directory (C:\Windows) and starts them 33->96 98 2 other signatures 33->98 37 svchost.exe 3 3 33->37         started        signatures16 process17 file18 70 C:\Users\user\AppData\Local\stsys.exe, PE32 37->70 dropped 118 Antivirus detection for dropped file 37->118 120 Machine Learning detection for dropped file 37->120 122 Drops executables to the windows directory (C:\Windows) and starts them 37->122 124 2 other signatures 37->124 41 spoolsv.exe 37->41         started        44 at.exe 37->44         started        46 at.exe 37->46         started        48 13 other processes 37->48 signatures19 process20 signatures21 126 Installs a global keyboard hook 41->126 50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        54 conhost.exe 48->54         started        56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 10 other processes 48->60 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 14:57:05 UTC
AV detection:
46 of 47 (97.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2vtuhwdtu5eybtaxp635df33we5sj4mzilw2677o7l2vman27wq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
57aa81416cfdbd76df2a15cb14810f8529ecab0eea978210a4ef3047f35a225e
AgentTesla
7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3
AgentTesla
8939f7bfa3b5c5afeeab65dc9958edda8dd67f0c1e54f75e9205f0eaf3f8adcd
AgentTesla
a1ca6ec9004d6e2b742c8a1cb74fef5235a710caefb287d12b7578aa22cdce86
AgentTesla
a53d0b50d953ffa3a69271d377563a17c7b19caa06478e72c9492b7892b8a972
AgentTesla
b38e4017409179a0ce847e5951e61479128caaaa7a721bf1acbece8dfc7ccc54
AgentTesla
cec3aecff4e5bc341b1f05466843916a5ff33ef601e449384df69605864249aa
AgentTesla
dd01ecef92ab63710bb4f56150e2ad071b6c950118e9244d7337ce8703796ca0
AgentTesla
e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071
AgentTesla
ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01
AgentTesla
+ 5'458 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210316-6ea7e14hfa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
AgentTesla Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
AgentTesla
Unpacked files
SH256 hash:
e9c66629361d1963e86ca398f847f9fa53ed0f02817975308a4ebcf151ad4572
MD5 hash:
909a88928818cb60b48d3eaac65d1495
SHA1 hash:
20d0bce850d5c811f94c4086e9a8fad9019c6015
Link:
https://www.unpac.me/results/636d5cd8-c7ef-409f-8213-87568316f9fe/
SH256 hash:
05fc230105dfe9e2558bbc2a5a68efe0f1941b01fd73d393a5244e7906f6b66d
MD5 hash:
2060b687e3efc2d797f44444266cfaf5
SHA1 hash:
f01877ea7d1140438943d338b32bf06d17918e91
Link:
https://www.unpac.me/results/636d5cd8-c7ef-409f-8213-87568316f9fe/
SH256 hash:
a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed
MD5 hash:
f09473c989db69c4c35f2f5a23094ae7
SHA1 hash:
c878a3e521a3c20b74df4d550feecc6ad6e2e2d8
Link:
https://www.unpac.me/results/636d5cd8-c7ef-409f-8213-87568316f9fe/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments