MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa703ba4b6b97339a2d84fca6c433da3118f4930ffd27d7bd401a82d7a722e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa703ba4b6b97339a2d84fca6c433da3118f4930ffd27d7bd401a82d7a722e29
SHA3-384 hash: 647124856572801f3d7338f93322b87a7ea6bbf064fbd163f9c055e727f85918e4199a2c8b9fe9bc335676a3223ee97f
SHA1 hash: 77f95b5533dfe26b663d806ccbb86bffee5b8720
MD5 hash: 046671828bd29a5f7c640ac2ee36b304
humanhash: ack-foxtrot-social-hotel
File name:046671828bd29a5f7c640ac2ee36b304.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'111'552 bytes
First seen:2020-10-19 11:02:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:RPnJIbqb1bMzVjVC0pl+icQv6DAxiS2fRWj1j4biENit2F2ENoSvKocONLzaJMBd:7UpsQCcxiUVWHN02KiHM8gb07qe
Threatray 95 similar samples on MalwareBazaar
TLSH 2E35702439BB9049F173AF7ADED475A2CA6BF7723606946D2062C3060613A83DFCD539
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72926/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495327
Signature
Adds a directory exclusion to Windows Defender
Creates multiple autostart registry keys
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa703ba4b6b97339a2d84fca6c433da3118f4930ffd27d7bd401a82d7a722e29/
Threat name:
ByteCode-MSIL.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 11:04:17 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Verdict:
suspicious
Similar samples:
1e9ff9549343dcb17dcb137508657a94e5503579e0e0741443b27c732b62fa5c
AgentTesla
1f6ec588edbf2a5b1796f89ad775229cad1066bc93607baa8993a19323be34e8
AgentTesla
72e7cc356ae54233b8d85e2850edd6d998f60e3521e1b58d64281835529d43dc
AgentTesla
7490493c29c4dd5b704a2ab854310b61b246d25b585c6a9f08232bd6bc221a98
AgentTesla
8e4aac35378bc5a4743fa3d7f3e82dc81be9af5a0d0b19a98cf9c1b9570ea7ed
AgentTesla
92715192ee868e9d408f9449893688c609bb81fb522f9af00f9cf8caeaf098a2
AgentTesla
c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75
AgentTesla
d62d0dfa280cd130a3c9a1d39cddc61ca6212bb7a3fc2fdf39b72ff11dfe7a06
AgentTesla
e7f93c2a012002bd558069f5d5d7b20ee1df9ecade97d85f6edd9e0b66be0623
AgentTesla
f4c25b70ae9ea0c7f4a7f028011167b7154ded11a0b8e90b1c7570ba9af1f2f2
AgentTesla
+ 85 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201019-c38wnbbh36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
aa703ba4b6b97339a2d84fca6c433da3118f4930ffd27d7bd401a82d7a722e29
MD5 hash:
046671828bd29a5f7c640ac2ee36b304
SHA1 hash:
77f95b5533dfe26b663d806ccbb86bffee5b8720
Link:
https://www.unpac.me/results/8aeb9ed9-b1db-45fa-9966-2055fd1308c7/
SH256 hash:
3a7ef617b8e477531adc661ad53d21151a182f6844baa3c527cd3296cd7b199e
MD5 hash:
5961e407351337745798016027795d1e
SHA1 hash:
1904b5438c530256e5ff99d01f94e228286c1371
Link:
https://www.unpac.me/results/8aeb9ed9-b1db-45fa-9966-2055fd1308c7/
SH256 hash:
78526812b9521a645c9864c1b54542f1e9ddbf15f117e3e128f24eb03ffc5d20
MD5 hash:
8c0c5a217af994c0d84d3bf11539513f
SHA1 hash:
b2cafdbb474992c46a5bff8d83748ef7f7c8cca6
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/8aeb9ed9-b1db-45fa-9966-2055fd1308c7/
Parent samples :
b48cfe64a7d020f64e9b09d7636b59ac1f567a51d246b8dd59c53eaa6b339aa7
06575f01727b5aa6296492bdbaae78073ee3b3abc8870b6b9027368260bc768e
71f156f01f3722503ae7b346c37f64a6bc9efe810309636aa30673062b59aa6a
744ebb2e77533c06399b3e375e997c864eecc2a20d97145c028a44575a6a44c8
4c2e0930bdf8d7e4f74a6b005ce1a1fdf1fe3a77ea4b1b88d7ec4ec4d9d9655e
2f591f2c8c67d9c61b196f05fc0730152e5a8c5cbaec47f6afaae62bdb7033cc
aa703ba4b6b97339a2d84fca6c433da3118f4930ffd27d7bd401a82d7a722e29
25bfba7555f3b542adc0b1384711da8e2e44b5fa8141866eae52a3e81efb6954
0038fdbc0cabdd5c5e1a140c9e614977ee2582c4c729ded51be44003ce01d152
79517807d3412c0fcd9bc91c4231cee4aa9d5bc35f80993a68d52c479dadbeaf
d2ed9e1008393560f0d117258892b7c6a67031184fd0566a98707b278349617a
ba53d9068b8823d41ab697d3daed40482317f3899bf08c7a218ba354d88d97ee
5026cabaa456ffa64c5e6dbdfa5cfee826651dc418167f4c88cf0a2a2033ce58
775097956590d6f019d682b9dee551bea46cd33c14e3fb7e829fa386133aad29
b0215d205e646e3bd5a16b23b1512ed4dcd9378704df6fa5e18c0e4780dcf4dc
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa703ba4b6b97339a2d84fca6c433da3118f4930ffd27d7bd401a82d7a722e29

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe aa703ba4b6b97339a2d84fca6c433da3118f4930ffd27d7bd401a82d7a722e29

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/460143/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72926/

Comments