MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a99afad6c2f267c22062cf92c8996cdcbf175baf5cab453ce8aae27c43c2ad10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	a99afad6c2f267c22062cf92c8996cdcbf175baf5cab453ce8aae27c43c2ad10
SHA3-384 hash:	054a3f147f996e7a3e72e1f910b973d39275bc2388d8e02de7792e5daa39b0ecf2e308168152e3d677dce496bdaf275a
SHA1 hash:	e34c21c9e409b83600e5acb8cc5dba4eb046e697
MD5 hash:	b92d4c6e2034bfe35b729def534bc5d2
humanhash:	mike-zebra-spring-timing
File name:	A504959.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	808'960 bytes
First seen:	2020-10-29 10:44:49 UTC
Last seen:	2020-10-29 13:14:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:B3Uuc6jKXxG2uUG/lqrO1V0b9yeGwrzDU39fxX:O+jKXAUWlqrzo2fW95X
Threatray	855 similar samples on MalwareBazaar
TLSH	FC052230B0D23AB3D3F69EBB4074B220B3B4654B855ADC5AE175BEE184C57A05BF1C62
Reporter	FORMALITYDE
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject4.4033.17037.20770.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/515945

Signature

Binary contains a suspicious time stamp

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a99afad6c2f267c22062cf92c8996cdcbf175baf5cab453ce8aae27c43c2ad10/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-29 10:46:09 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vgnpvvwc6jt4eidcz6jmrglm3s7row5plsvukphivlrhyq6cvuia._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2c4f7516214ad84b31d2468ff496720193ea743bdb260287e2ef9ec48014b493

AgentTesla

419866e243e8c421e9ddaa512c0aaabb4454b57e684855d23576daa570a58957

AgentTesla

4e3ab14789320aad6caa94c9b56900c59087779a8c80dccae409ab897b9a600d

AgentTesla

98f16bf7fd0d32ebf300230c3992712556f0bebc91678c4a6da74f7a900be68b

AgentTesla

b2027562cdbec2beeb72eb09715b7615a62c0050d663eafc82de9d3461a05dc0

AgentTesla

b398017fa8cff6be081910379149989ac2880bd92e6b358148a847e3e40c3004

AgentTesla

bae353be3d64c66c76ca33280e436b02460497265e503b772db81c2e84971cba

AgentTesla

c1fa48c0b9c81541dc2ba39db3fc1c410f6231e8df9aa69c02bdd1c8549b453a

AgentTesla

f740b4f32c0d32f5ee1525c3da775efdb4cc6535fc7ef372b373c9c67f32cd2e

AgentTesla

+ 845 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201029-1b5ee4t4h2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe a99afad6c2f267c22062cf92c8996cdcbf175baf5cab453ce8aae27c43c2ad10

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample