MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ace15b4d4120396673e1b09fc53278527fcb465235c2ad23403fd24d08ebd460. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ace15b4d4120396673e1b09fc53278527fcb465235c2ad23403fd24d08ebd460
SHA3-384 hash: 63c0d938e1b8af670c38c0c19fdd6820a29b3ba4c4b029b6f3a93c7f968db26866b17c5e6874866639d1ea4550290ea2
SHA1 hash: 6f01d745cc70e0704aee76c6753f83c6cf31af9b
MD5 hash: d4dab484017302f8e18cf260f3576c5c
humanhash: ink-hydrogen-tango-quiet
File name:SecuriteInfo.com.BehavesLike.Win32.Fareit.bc.12213
Download: download sample
Signature AgentTesla
Create hunting rule
File size:804'352 bytes
First seen:2020-11-13 20:39:49 UTC
Last seen:2024-07-24 20:13:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:YNwxG4qPqJakDeRvgurThJBqqMO+wEOHilDwr:YoKpRNrThJ8qiwi0
Threatray 1'172 similar samples on MalwareBazaar
TLSH A205CF297701AF11C7BC2777D9801405B3F8CD0A9B23D96A3CE479EE2E66F65B11920B
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.bc.12213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534263
Signature
.NET source code contains very large array initializations
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ace15b4d4120396673e1b09fc53278527fcb465235c2ad23403fd24d08ebd460/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 20:00:03 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtqvwtkbea4wm47bwcp4kmtykj74wrssgxbk2i2ah7je2chl2rqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a41900b78aa8ad61d42ee6cf76f4045093ea691d6a0e0ab6d535f6bb6ddb907
AgentTesla
262a211656d15bead6b81f0755443a6e8aff1a3316318b326355a575087e39d2
AgentTesla
27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0
AgentTesla
516f16ca6f1b1ec44cb6c21f9849ceb0e7474adffce7530d1fe46c4483e5c27f
AgentTesla
5c262eeac56f9ceeb0b44f0b0c46535aa23c3f1317d2c03148648342854fb98c
AgentTesla
64fa98c6d88fdd55fa6c93b8ab2f08e6e5b3347b102651f86a9f9ac569e2a239
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
d2e0d084dc1d9d203c90d09872553c5e02c09491c18407139792dd57eae4f38b
AgentTesla
e28ed19326e3b7a86441b0e66f286e70fa1f9cf0131d5821e303d4ea6225fe06
AgentTesla
fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1
AgentTesla
+ 1'162 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201113-sx74s63rva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ace15b4d4120396673e1b09fc53278527fcb465235c2ad23403fd24d08ebd460
MD5 hash:
d4dab484017302f8e18cf260f3576c5c
SHA1 hash:
6f01d745cc70e0704aee76c6753f83c6cf31af9b
Link:
https://www.unpac.me/results/6b81c6bc-c6cd-4a74-8a54-5f8aeb653920/
SH256 hash:
919d263949ce0461d69e86bc6453160d6b03ec86090c3c3f6b529b32615746ad
MD5 hash:
dd4e1dd8fe63cfdbc0d17d9e6036ba86
SHA1 hash:
016147f42a21deb45d39793f6451ad74835ade30
Link:
https://www.unpac.me/results/6b81c6bc-c6cd-4a74-8a54-5f8aeb653920/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/6b81c6bc-c6cd-4a74-8a54-5f8aeb653920/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/6b81c6bc-c6cd-4a74-8a54-5f8aeb653920/
SH256 hash:
4a3e3b24faacb1babfa7784c3ac2d17af6c913fed40996aa883701488ba6ee91
MD5 hash:
c885969587f7a52eefe0679bc1c41ba3
SHA1 hash:
62c3af4798c2db30df6900332a9cac3d9c3085e6
Link:
https://www.unpac.me/results/6b81c6bc-c6cd-4a74-8a54-5f8aeb653920/
SH256 hash:
9974a3af9d5eff9ff82c1e6dca6e035d4989f089e7cd43f191cb3df2f873258f
MD5 hash:
333c62025943471baed5f56054b36011
SHA1 hash:
9ce3a8630477aa277320ae15861f832ecf9e5973
Link:
https://www.unpac.me/results/6b81c6bc-c6cd-4a74-8a54-5f8aeb653920/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments