MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662
SHA3-384 hash: 7694139ceef3132203a666293e9d3a3019aa8258844d8e0ca196fac0d25240f0cff5e2dff2bc6d86fff9096b918336f1
SHA1 hash: 1227ba50fbe1cd404db4f810859b6d8476f0aba4
MD5 hash: 056ad62e0d4890efa561bc1b00f9fec1
humanhash: item-emma-missouri-fourteen
File name:Sample and Specifications.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:519'168 bytes
First seen:2021-03-09 06:10:27 UTC
Last seen:2021-03-11 06:16:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:I+Zgb10QmhH0GEIGx1yRyS84oZwl67ZN/upcBNtC/o:I+M6AfWRyH4ot7ZN/upcc
Threatray 3'073 similar samples on MalwareBazaar
TLSH 81B4E0640B7C20A2F757DF7B343B0925AC9763E9090BF92539ECA09A281D77C41FE694
Reporter fabjer
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sample and Specifications.exe
Verdict:
Malicious activity
Analysis date:
2021-03-09 06:14:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d530135b-2e3e-40d4-910b-b88f5674794d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123090/
Detection(s):
SecuriteInfo.com.Variant.Bulz.387274.13399.16720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/632308
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected Beds Obfuscator
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 18:25:48 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v63weca6vuoll2d7iwrzzulknb26sapldvnlic4xrqs74ve5ezra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4316dbece42e93640c8df6fab16f81e09d207967c9e94b908b96f680c0469064
AgentTesla
4ee357dd7681ca5f80acaeb7d55df4432de5d370c73e6bb887e3461b6ed537f8
AgentTesla
547730d182deb8f0b96b48b7d635288e43748c79816f3ad481735df25ae9523c
AgentTesla
63fe4414329ce0fa71954c9d1a65a74d49457844fb1043b104f4cd64c832f84b
AgentTesla
70f663d3327046c372ba628ba4a216adc73738b080c579a9e9c45c7780e79e1e
AgentTesla
a24b65d53104ef9cad9859a7d02ae4b8b39ead417b2dc81866d59051285410c5
AgentTesla
d830adad4946e743cdc39b91ce67e2c3c0ff9aedda4cf205d1756ac45bb7b2e8
AgentTesla
dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2
AgentTesla
eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06
AgentTesla
f892fa6757d9aab17b11c24debe91cc7ecd4591bc656f9e653dacf883a1b764f
AgentTesla
+ 3'063 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210309-8lqnytrpcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
Beds Protector Packer
AgentTesla
Unpacked files
SH256 hash:
8148ca9fff6994d06c4db7ddb6a761e0e74a94b2456e39bae85cb6505ddd2ae5
MD5 hash:
6f310edfe81cf4e23e6c0916b62b2e77
SHA1 hash:
ff0fb5a5806a4231c7a36ab82af42a34f49f24fd
Link:
https://www.unpac.me/results/3ca49213-c4b2-4e12-aaae-d50a374cfa27/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/3ca49213-c4b2-4e12-aaae-d50a374cfa27/
SH256 hash:
f03ac7168346551532ceaea2879a0af0bae7f7827cbce4d89a5cb9cbaa654a41
MD5 hash:
2e9ad5e7b821228c7b4b3438de0c10ac
SHA1 hash:
7637a14e343f18261c27e6cc0eb1b46bd41b3b77
Link:
https://www.unpac.me/results/3ca49213-c4b2-4e12-aaae-d50a374cfa27/
SH256 hash:
afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662
MD5 hash:
056ad62e0d4890efa561bc1b00f9fec1
SHA1 hash:
1227ba50fbe1cd404db4f810859b6d8476f0aba4
Link:
https://www.unpac.me/results/3ca49213-c4b2-4e12-aaae-d50a374cfa27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e732fd3ef1325735aa0c0e536fb7ca9fcf093696e9f2f6f97a12987320a9e99b

AgentTesla

Executable exe afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662

(this sample)

  
Dropped by
SHA256 e732fd3ef1325735aa0c0e536fb7ca9fcf093696e9f2f6f97a12987320a9e99b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123090/

Comments