MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abf3d62c029da4a935ffde31a6559242200cc0b0483c0b552e714d54170407a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abf3d62c029da4a935ffde31a6559242200cc0b0483c0b552e714d54170407a6
SHA3-384 hash: 0afdedfcd41d93039f6d70ed6034c72d552dba3ae97354e72872954a29fa21f333899ae277125e8acdfbee2bb0da0587
SHA1 hash: 0cc94e4a51ff8b427964dd47915f1fb3b0a61941
MD5 hash: 44d42f667625d1f4b72393ca10173b58
humanhash: december-apart-lamp-white
File name:44d42f667625d1f4b72393ca10173b58.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:759'808 bytes
First seen:2020-11-17 07:36:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:WLyZN2JaI+TQLxs8KfmvmxXjfRipfKHc07wtxeOfcs/dZQLiqmlNARJNf9NK3p8:W2ZN2Ja9TQLxzwBYpfK807GLfHnQLiZ8
Threatray 1'338 similar samples on MalwareBazaar
TLSH 0FF4E03D2338AF22D5BC477684808420E3F0ED925323D9667CE9F6D91591FD5AA3638B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/539094
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318642 Sample: cL6qhldO7O.exe Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 8 other signatures 2->39 7 cL6qhldO7O.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\dygEXoPfHG.exe, PE32 7->19 dropped 21 C:\Users\...\dygEXoPfHG.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp68DC.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\cL6qhldO7O.exe.log, ASCII 7->25 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Injects a PE file into a foreign processes 7->45 11 cL6qhldO7O.exe 15 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.yandex.ru 77.88.21.158, 49741, 587 YANDEXRU Russian Federation 11->27 29 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.153.147, 443, 49740 AMAZON-AESUS United States 11->29 31 3 other IPs or domains 11->31 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 2 other signatures 11->53 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abf3d62c029da4a935ffde31a6559242200cc0b0483c0b552e714d54170407a6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 07:37:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpz5mlactwsksnp73yy2mvmsiiqazqfqja6awvjoofgvifyea6ta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a41900b78aa8ad61d42ee6cf76f4045093ea691d6a0e0ab6d535f6bb6ddb907
AgentTesla
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
AgentTesla
2693356eb785b39160f0dd89c916020ab5ae032faaa931b30c393e93da2740e4
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a
AgentTesla
ace15b4d4120396673e1b09fc53278527fcb465235c2ad23403fd24d08ebd460
AgentTesla
b1f530942db69e2f7a2823abab2ecc03eaed957101e7e6a7b53af823765df3a7
AgentTesla
c4d89130c6dd4e07b70510bf0397f775abacf0b8f1cf5a01f2461a266bfdaaf3
AgentTesla
e3dbadc32e9e198eb9c03b3c8a29bb4569838eb7089ed761aea6a496eb8f8157
AgentTesla
fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1
AgentTesla
+ 1'328 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201117-7fd2ay7kt2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
abf3d62c029da4a935ffde31a6559242200cc0b0483c0b552e714d54170407a6
MD5 hash:
44d42f667625d1f4b72393ca10173b58
SHA1 hash:
0cc94e4a51ff8b427964dd47915f1fb3b0a61941
Link:
https://www.unpac.me/results/d9867bfc-c4b0-4e9a-9a88-9044045fc8c3/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/d9867bfc-c4b0-4e9a-9a88-9044045fc8c3/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/d9867bfc-c4b0-4e9a-9a88-9044045fc8c3/
SH256 hash:
6f95b95a3051d287b397769b5bcf1bca7532363648ac0fa6288a93b57e514d30
MD5 hash:
cd00c5b9d597a8a99d5dc9481803e480
SHA1 hash:
62536b66a28010327c57b2179ccca7a0804718f4
Link:
https://www.unpac.me/results/d9867bfc-c4b0-4e9a-9a88-9044045fc8c3/
SH256 hash:
69a43bdb35886ffb56853281987b376eec5593dce486deec1ed37936e9c5ca47
MD5 hash:
9a63396a7c61c42bf7adb25bc6968e48
SHA1 hash:
706eed1807719d0fd04c2b925ff3480eed4a5a89
Link:
https://www.unpac.me/results/d9867bfc-c4b0-4e9a-9a88-9044045fc8c3/
SH256 hash:
fbfab61c4b669c98791a148b86e6faa0b5ee782cd47e7a1b09aaf9882e9a93bf
MD5 hash:
10cdb73ab2915f91e5661e10a12617ad
SHA1 hash:
f8682d37cd614fd0b8e30b1f15ad096d7992e704
Link:
https://www.unpac.me/results/d9867bfc-c4b0-4e9a-9a88-9044045fc8c3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe abf3d62c029da4a935ffde31a6559242200cc0b0483c0b552e714d54170407a6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/807238/
  
Delivery method
Distributed via web download

Comments