MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abd99e485e5c7b462f2dbaa2c8e3eae71faa79b15921fc94ec3827920f3b4a6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	abd99e485e5c7b462f2dbaa2c8e3eae71faa79b15921fc94ec3827920f3b4a6a
SHA3-384 hash:	7e678dd2ecdd925aed1a8d4985bd91d993e6aff75626fdd26a55b0807a4b25845b9524d33ff40671ad4858e53b9fa517
SHA1 hash:	665d2ee28dcbafbc8cffdc42d17cadaa953e4b4c
MD5 hash:	b4e07ea196d05192e6ce60536dfba515
humanhash:	nine-eighteen-july-lake
File name:	K15oy6h836rIyrn.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	879'104 bytes
First seen:	2021-07-14 13:08:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:EBQUCGqNxb7nLFmBzT+FGZs/ZYz8bdUaXiBL9gmk+0:EBQUcPXLFmZTUws/Kz8/X6Zxk+
Threatray	6'764 similar samples on MalwareBazaar
TLSH	T1E515BD2323844A27CBBE46B9B650E050F761ACAB7B00DE0F1AC371D6597BBC05596D3E
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

K15oy6h836rIyrn.exe

Verdict:

Malicious activity

Analysis date:

2021-07-14 13:13:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a4dba31e-fa51-4e4f-81b4-905e531c1f63

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/171660/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.5506.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db15e065-ef88-44e2-8aca-cf9900783692

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/816223

Signature

.NET source code contains very large strings

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/abd99e485e5c7b462f2dbaa2c8e3eae71faa79b15921fc94ec3827920f3b4a6a/

Threat name:

ByteCode-MSIL.Spyware.Darkstealer

Status:

Malicious

First seen:

2021-07-14 01:51:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 29 (65.52%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vpmz4sc6lr5umlznxkrmry7k44p2u6nrleq7zfhmhatzedz3jjva._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5538adf3e8e18614c6eb877e10850986b564efbe9870c4027e2b38bcf8ccaf41

AgentTesla

6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8

AgentTesla

6be400fa61cb3ea26f971bee2b41dc11761d247835f5bff2a017a78f2a6aa010

AgentTesla

72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75

AgentTesla

7442f0a65b8a25f44b65fe4e3db9eee4a95ea2027068b4fca8760d7a6a311a98

AgentTesla

80229ebcf769df182c0354a82f076cb2f093d95a2bde0af3d9ef740c1aa038a6

AgentTesla

91d6b1ee61fc676affdcead674c1d17c2d62f7aacc1a757e4071af6134fc2847

AgentTesla

ca8d2b47b68c7da2724b641ced05c71eb70b612b7fe02d9b2d89764d68b05be0

AgentTesla

ec5ac9558ad6570a68a3bb287f87227a10f2ef1ba7394ef77c27b645434752ac

AgentTesla

+ 6'754 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210714-86zetk311n/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b

MD5 hash:

0327d1374a5ce015ad9c83c5de76e823

SHA1 hash:

e521349d9e96a4191248747c42c78b6f88fc8f63

Link:

https://www.unpac.me/results/aa9fb422-371c-45cc-a640-9d2082fee634/

SH256 hash:

b64b9a48e5a2c28c437036094ec661d4a6755c1df1215fe4be3d9537fa121d15

MD5 hash:

53b61b1f93e3bece824b9c688752e208

SHA1 hash:

8dd628dcbd779a4caa4607b6d0cfc5553cca1be6

Link:

https://www.unpac.me/results/aa9fb422-371c-45cc-a640-9d2082fee634/

SH256 hash:

63d436c077455be5c32e940ddb27b7d82d157c965b63c47a70d588b7818b7491

MD5 hash:

82826bf9e6d8bca516e0dd4edbb74951

SHA1 hash:

1bd2b887c29ff6dfc8268603d2f18ca8667a0c7a

Link:

https://www.unpac.me/results/aa9fb422-371c-45cc-a640-9d2082fee634/

SH256 hash:

abd99e485e5c7b462f2dbaa2c8e3eae71faa79b15921fc94ec3827920f3b4a6a

MD5 hash:

b4e07ea196d05192e6ce60536dfba515

SHA1 hash:

665d2ee28dcbafbc8cffdc42d17cadaa953e4b4c

Link:

https://www.unpac.me/results/aa9fb422-371c-45cc-a640-9d2082fee634/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/abd99e485e5c7b462f2dbaa2c8e3eae71faa79b15921fc94ec3827920f3b4a6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/171660/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample