MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb
SHA3-384 hash:	9dffeebcb33f3171f7b7e11c8cae138fb04aa06b2ff81fbb10692c3a9072294ca4a25e062dd9fda2209ab7699b1a267a
SHA1 hash:	a12163a0714dad6adac7e928d936dd188bdbb34c
MD5 hash:	7728c60a9a7bb60413c2b9a4f1488e12
humanhash:	blossom-bravo-xray-high
File name:	mSEYLKHfkMUPPBxhGcmDtlXcmhCx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	221'696 bytes
First seen:	2020-11-04 15:41:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep	3072:A9WwN+hEyrlAX2/rHZ5sIKMUgHE7yIGnmu1eJRFjMHHq0i4QdPWrBqgB2UwR3WlK:Ab+J/rHnDUxRGmIgRMHKiZtgIGyG
Threatray	946 similar samples on MalwareBazaar
TLSH	8B242A166714D511CB5F417FC01A821831F1D707A72AE2CF5AA6D8FA2F852CEF92B8E4
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/82953/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/520370

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to register a low level keyboard hook

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-11-04 15:41:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vjovqum23qsyumsjjtxdkuobm2ckhushya6kcfbtq5lbol62s3fq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3a5b1c9c7e10e40551f26dafe302f056f86ce6c6c138a96b0b79389a095b7fca

AgentTesla

3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa

AgentTesla

4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3

AgentTesla

6bc23ccd8612b26fde69c3c640beaf2b1997b5081ba210eb7b26f903c80b55da

AgentTesla

91816d916870f6e48ed8937694ab3108bfd6b57b1aef7a69dff474db7602e274

AgentTesla

a02fab001fe08ddb9a1ff1113714164bfb779c3c1829e0db5de65a9174f3af7c

AgentTesla

aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240

AgentTesla

ce2c01bbc12cb5d903130e68a4e34056f292ebfdb307a185076c3e99b6f98ef3

AgentTesla

f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8

AgentTesla

+ 936 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201104-6pvx2lb9ds/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb

MD5 hash:

7728c60a9a7bb60413c2b9a4f1488e12

SHA1 hash:

a12163a0714dad6adac7e928d936dd188bdbb34c

Link:

https://www.unpac.me/results/1a29df6c-b09d-46d1-b0a4-9f0b781f317d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/82953/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample