MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afd6bafa6a8d82e932299d940a71eb03ce9c9f01e1818589500af3ea59c6cebc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	afd6bafa6a8d82e932299d940a71eb03ce9c9f01e1818589500af3ea59c6cebc
SHA3-384 hash:	984fe50b477fbf6f018f0567cdc31b4716ece1fe6d178b4f80fb322444e328a2452805b05d63ed33124c554dc7473d96
SHA1 hash:	2afde314bd93498a0c7260912a7cf67312f49f4f
MD5 hash:	48528d26cfaed274c20c383a5f3ab9e5
humanhash:	quebec-maine-nuts-pennsylvania
File name:	foakTEjUOvL9nBY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	570'880 bytes
First seen:	2021-04-30 12:46:07 UTC
Last seen:	2021-04-30 20:49:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:UnhxWc+2X6XZyfN7NoM0jVKq2drurkrfwZ6ujBNdYF:uWa6XZyf+jgq2dKkjGxzdo
Threatray	4'362 similar samples on MalwareBazaar
TLSH	FFC401202399CB19D57D4B780D2A62C023F2F51AFB01D75E7E9851DD9E63E038B21BA7
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/147421/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.688-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/704827

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/afd6bafa6a8d82e932299d940a71eb03ce9c9f01e1818589500af3ea59c6cebc/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-30 12:09:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=v7llv6tkrwbosmrjtwkau4plaphjzhyb4gaylckqblz6uwogz26a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

46f3152f5d75ba9d47ec432ce121260b59b1c9aa4eb15757b0915c23555640c3

AgentTesla

5bd862771421523a7132611d5f94c6f33ba18a3ae5b241f69ab0dd583bf57fb6

AgentTesla

6415b721c79b022b80d641a3a53e01bb7f1221c0ca86f35437e964bca2fd5e95

AgentTesla

71a088041725b0d5ba715fc193d170aafa120250c9e2fc0774c8be43f40075e1

AgentTesla

817c644950551a54eb50dfa3ea09b09b0fdab98a67cacf7be33fff76b05e4e11

AgentTesla

864e6fe3fce577e7b83b31e9023380e3970c5bf6bf441fa3a8c5418a8b24e847

AgentTesla

96e975e9e509e40c6b069f4fe4ef338ddaa76472a30e3115374d5ae3b25c7616

AgentTesla

ad588855cea6e5992e2574bc9fb6baac112b14db7b82fac3e72963223c3ae247

AgentTesla

e28c889ab69d687e864a575a571394099cfed302d28d41274ed77c63adcd0a69

AgentTesla

+ 4'352 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210430-k7cf3eg2t2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

11cf5a51e593c007ff4f91294cf505ffd5e425e56387c60d81e6479cc284cc3b

MD5 hash:

73cc3f7e7700e6a54cb5f291dffe5aa1

SHA1 hash:

09174f9fa55c9bac0540efb7a8c682878a32d02d

Link:

https://www.unpac.me/results/d6a5b7c3-1fad-4de8-974c-0d34aaec1dbc/

SH256 hash:

afd6bafa6a8d82e932299d940a71eb03ce9c9f01e1818589500af3ea59c6cebc

MD5 hash:

48528d26cfaed274c20c383a5f3ab9e5

SHA1 hash:

2afde314bd93498a0c7260912a7cf67312f49f4f

Link:

https://www.unpac.me/results/d6a5b7c3-1fad-4de8-974c-0d34aaec1dbc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/afd6bafa6a8d82e932299d940a71eb03ce9c9f01e1818589500af3ea59c6cebc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time