MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
SHA3-384 hash: d913adce4b8789d2dc0507711d193b5dc96587b6b969c0c108a54ccc683e66ca5dcf112235834232da6f420710379599
SHA1 hash: d006bc6c037c26e12b750371965e8bda8b90707b
MD5 hash: a444421cc7302f90012f70c646b4b35a
humanhash: april-early-lamp-dakota
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:524'288 bytes
First seen:2020-12-08 18:37:55 UTC
Last seen:2020-12-08 20:36:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:dje4O0dJ4wG9KVe3SdvIfh96bzTITh0RE5:I4OCsPi/TdY
Threatray 1'754 similar samples on MalwareBazaar
TLSH 51B4013242476E5FD73E1FBB914811148EB4A02BB623F66CBF8494D905E6B948E50FF2
Reporter fabjer
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107334/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.19805.18232.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558379
Signature
Found malware configuration
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 04:52:44 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vptko77p33ph3yuh2fiwrh4hup2z5new3fbvd5ailm54djvxkxba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f9f0bd1c94784a9426a81cd5cec73dd110cd63d96938127ad8cd4a25a7c678f
AgentTesla
39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36
AgentTesla
98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
AgentTesla
a2faafe17f1c5486ce97238fa62db005afd9af7b53b1d15672c098db19129346
AgentTesla
bb50ec005b943e5906c449de4b21d1d6f7f2b5b377f01886032c576cfacca298
AgentTesla
cc8de0f68549d84a62dcd11df6625b2bfe08a6cfaea102f4710e28969a60f689
AgentTesla
e7ccbe9dfaa198263b85336d9f89a775f7601070708ce65b9e4612332e0207b8
AgentTesla
f1eee793a63b26c3b031faad22f15c106caeda0b91800efab5d3c10791806293
AgentTesla
+ 1'744 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201208-nbspa3xvzs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
MD5 hash:
a444421cc7302f90012f70c646b4b35a
SHA1 hash:
d006bc6c037c26e12b750371965e8bda8b90707b
Link:
https://www.unpac.me/results/e1ada8f9-0a55-48e3-aa1f-42ff617e0114/
SH256 hash:
333c393b9a8e2d8a2a70ea28f002e09c052bc54ac8a75d2ccf68e7bd1ca34ead
MD5 hash:
1d64d926d64035d038a080b6fb4107e2
SHA1 hash:
2995bcb793d857a730714b54112b011b9668ea11
Link:
https://www.unpac.me/results/e1ada8f9-0a55-48e3-aa1f-42ff617e0114/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/e1ada8f9-0a55-48e3-aa1f-42ff617e0114/
SH256 hash:
2c10ce145aa2054fdcdc2a1be256064ad37d0f3ade792c9087bb2089fd831f42
MD5 hash:
1d1e5c834dc050318ba1fd5e65a6b645
SHA1 hash:
80453a3ed69a668f0b8217dec5df5041a97a98c1
Link:
https://www.unpac.me/results/e1ada8f9-0a55-48e3-aa1f-42ff617e0114/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 300855639285623fd18084eec7025da71b6af16287ed9e16ce821debefa42970

AgentTesla

Executable exe abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2

(this sample)

  
Dropped by
SHA256 300855639285623fd18084eec7025da71b6af16287ed9e16ce821debefa42970
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107334/

Comments