MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acb631e0a0d57e6469fbf28e7183ca73ad169047a836accb025cd7b847e6c31b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acb631e0a0d57e6469fbf28e7183ca73ad169047a836accb025cd7b847e6c31b
SHA3-384 hash: 02621cdcee1f3d88b90ec64d02eb570dc27c31ca835646d79578844ccb6330f5c212490cd1b56ff413a086e4e00603db
SHA1 hash: 59e8f5802346c960beaa86c72a13411904eba7e6
MD5 hash: 22b0b4475227b17fd03c05cadd0643fc
humanhash: one-orange-muppet-fix
File name:IM0065676.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:625'152 bytes
First seen:2021-10-04 03:41:40 UTC
Last seen:2021-10-04 04:26:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:EkloBmW+ZMJ+M98y/gYNATUfDgMRac2RyJT6YashlM0JT6YashlM:HcSOZNAof8MUs9ashlV9ashl
Threatray 10'594 similar samples on MalwareBazaar
TLSH T13ED4F19D23AB9600FEBF47F8787490904BB1B8165416C33C5E8068ED1D737E88AE5B67
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IM0065676.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-04 03:44:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/961d7770-aec4-4960-8ded-6a0a58fb18d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194405/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c2f92b95458900cdc640a/reports/3da04c96-6ecc-444c-a107-893876b5272a/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/212c7658-6c49-4f9f-a7f1-7fd734cd8aad
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863629
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/acb631e0a0d57e6469fbf28e7183ca73ad169047a836accb025cd7b847e6c31b/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 03:42:07 UTC
AV detection:
9 of 45 (20.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vs3ddyfa2v7gi2p36khhda6koowrnechva3kzsycltl3qr7gymnq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04468aecad4b1a4865d357bb60a6d86060f9390418e9065ede079c1310b3f8f2
AgentTesla
268ca772e3e7bef1a82759917e3b9c4377869aa7cb04a829397978adf495c340
AgentTesla
28361df2e00fefcda07f805ea5c17613194fd69b28f143d393f8aeb123cc5eb8
AgentTesla
620c140c63e18539f6e94c7310b9705bde63425fc8f10628ef24356a26f7db24
AgentTesla
72684a74349ce5fc82b27e2a5db12508ff040c352f920ed69fc688162f722c74
AgentTesla
b7e958ad3d7b10e4a79344e347a8f012f81e4caeb4007fbe0e6dd816bd48e221
AgentTesla
bec15fdabcc004c876a014db3ddf35482d79b606aac9430446878f9cc90c8161
AgentTesla
cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8
AgentTesla
d70dd46e7665afd47e252273c19314500682a1aede68b0d2dbfb653a96468fe1
AgentTesla
eb9581db02db6a23a836ba53574cf0d01bd50a6d368f10f77889a441bcb911cf
AgentTesla
+ 10'584 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211004-d9cq8sfhgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1545d3ec868f3dde30d28f4a1ad992197dcc71bc4ee4a5fc18eb34ab249af0de
MD5 hash:
e26da716e21604a2bb171633e2b99acf
SHA1 hash:
df6d1a3e50ed08abc8132844002abb74676b9678
Link:
https://www.unpac.me/results/84ae7a8e-913b-4d1c-8ffe-c9e8d996cefa/
SH256 hash:
e60c71a3cafa86b370e02270a19023068c2a9491e6e621fac6cda033eb488081
MD5 hash:
132db1617757bd8770383741aa28b9fa
SHA1 hash:
d77cf66e14b5935df3ab42d51131d135a5e897fa
Link:
https://www.unpac.me/results/84ae7a8e-913b-4d1c-8ffe-c9e8d996cefa/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/84ae7a8e-913b-4d1c-8ffe-c9e8d996cefa/
SH256 hash:
acb631e0a0d57e6469fbf28e7183ca73ad169047a836accb025cd7b847e6c31b
MD5 hash:
22b0b4475227b17fd03c05cadd0643fc
SHA1 hash:
59e8f5802346c960beaa86c72a13411904eba7e6
Link:
https://www.unpac.me/results/84ae7a8e-913b-4d1c-8ffe-c9e8d996cefa/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/acb631e0a0d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acb631e0a0d57e6469fbf28e7183ca73ad169047a836accb025cd7b847e6c31b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe acb631e0a0d57e6469fbf28e7183ca73ad169047a836accb025cd7b847e6c31b

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194405/

Comments