MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a86039e7c66e0d06ca519938dc7f2158288f4a4f5154a80ae7f9b24b35ba7253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a86039e7c66e0d06ca519938dc7f2158288f4a4f5154a80ae7f9b24b35ba7253
SHA3-384 hash: 782fa025d20f5285caaced1f9db64d331e377427422477f10b3a4bc1d1a381abca3949f5ae5b05ec6169361b93787310
SHA1 hash: cc265793409823f0874067b6f055eba67946cfd8
MD5 hash: 4f9d8d8a1f82afc323c100536a495448
humanhash: quebec-timing-angel-floor
File name:Rechnung.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:584'192 bytes
First seen:2021-02-17 13:55:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:O3NV0wDtld21fNlRUOkCT/Ap24ICQdMc6EJ6PXmS/xS0bwOhD9i6wVTMsM:OLDoZ5Ap24ICKMWJ6PXBDTutT
Threatray 2'851 similar samples on MalwareBazaar
TLSH 8BC4E03522A85F64D47EA7781125400093F1A58AD773E71DBEE960FA1DA3FD28A3B313
Reporter c_APT_ure
Tags:AgentTesla Telegram Telegram-API Telegram-RAT


Avatar
c_APT_ure
malware ab-using Telegram API for C2

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.541.20376.3776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/610392
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a86039e7c66e0d06ca519938dc7f2158288f4a4f5154a80ae7f9b24b35ba7253/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-15 10:16:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbqdtz6gnygqnssrte4ny7zblaui6sspkfkkqcxh7gzewnn2ojjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2ead443fe01ac2cd33b0b3a4bc8396fd0e067fe980e43b7e9d2327b0cb34383d
AgentTesla
40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9
AgentTesla
46f7e4d9929742fb1530c921f9906a387a1d4da940e290209666d3924162991b
AgentTesla
5ac5eee21d5a32eb57d80ff83da21265c7d11c525f6b57ed124a266ce04fee54
AgentTesla
75f2d758f27b27982c84af9f9ad2677e005a72a385e48627dfa13341a4273606
AgentTesla
a33d7aa0899a3fc482f317f171286e069c251e6aa8048296e3a56916acf13087
AgentTesla
a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd
AgentTesla
bd4f9c3b773d0d0b385d03313943d7dadf1475cbacecfdcc91bb65e993cfdf1e
AgentTesla
d1af586157d70283a29e4dddc668359b54a6d882ca4a3555139a485b61ee334a
AgentTesla
de9d415f8380055c8fc1a2239b7e1e85f29f0f1ba780c7bb2b9e2921dad93123
AgentTesla
+ 2'841 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210217-7fmax68x7j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/59ca0cd1-86d9-4f11-ae5d-c369410785d3/
SH256 hash:
a86039e7c66e0d06ca519938dc7f2158288f4a4f5154a80ae7f9b24b35ba7253
MD5 hash:
4f9d8d8a1f82afc323c100536a495448
SHA1 hash:
cc265793409823f0874067b6f055eba67946cfd8
Link:
https://www.unpac.me/results/59ca0cd1-86d9-4f11-ae5d-c369410785d3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a86039e7c66e0d06ca519938dc7f2158288f4a4f5154a80ae7f9b24b35ba7253

(this sample)

Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/library?search=telegram
  
X
https://twitter.com/c_APT_ure/status/1362031059395821570
  
Delivery method
Distributed via e-mail attachment

Comments