MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 affc0b05066b707066143310ffac765065b7c7fdcd5d4319885681f730f90000. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: affc0b05066b707066143310ffac765065b7c7fdcd5d4319885681f730f90000
SHA3-384 hash: 4c7664b62c0d00cb3e825bf2fc9faecffe678ab878bd144461580217608eab4b5d69701bed9998c0a94f323eb424b367
SHA1 hash: bd9d0489dc48b4356b62736a033291166089e1ef
MD5 hash: 532490a88762e34f3f07466b4304b2fc
humanhash: december-ceiling-carpet-idaho
File name:532490a88762e34f3f07466b4304b2fc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'020'416 bytes
First seen:2021-06-08 19:30:53 UTC
Last seen:2021-06-08 21:21:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cQfWd3WrmuSWDAYcO31OsAANt+8t7EkIbCoAJ0DxXq8JAm+fKv/luUf80NZ3FcgN:gUm92AbOlxAANZI
Threatray 5'709 similar samples on MalwareBazaar
TLSH 5825B4AC356071EFC467C6BA8AA82CA4EB61357B531F9103902715ED9A0CB97DF244F3
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165468/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.16116.19772.20586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799143
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/affc0b05066b707066143310ffac765065b7c7fdcd5d4319885681f730f90000/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 15:45:23 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v76awbignnyhazqugmip7ldwkbs3pr75zvouggmik2a7omhzaaaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05bdb815046e31699e7e357aa4333d07ea97456fd8752f550ffcf46e12a07ae5
AgentTesla
07f741a7261963f9ab96ecaae896b2a07754eb65638d6a61718e5339b51fd12d
AgentTesla
35a4ba4437a87a34f0916a03c74368b247c212464d0defb97cf2700fd9a337d4
AgentTesla
36a8eb9eabcaf8a6647eb1aef1a4dd285ca9356563d021e70f1180bc82d6dc90
AgentTesla
487d2a06544320c28cac33f3c9f46496dc127baab12192ceefd237b48ce02a47
AgentTesla
494d93c1ee164c356496476d5b065092d1285e69b588666401b98bb0ddd5c97c
AgentTesla
7e562d4eb934e1f2d7b9ee0fb618886fe0a587772bcb695b71e7cd8b1f1ec303
AgentTesla
96b067e320b73d73d44df9a4ccc7041deec2059fb26a2efa50a877a528ada172
AgentTesla
a5cb176175e29f72f93c59e48a8bbf5e51c6c33dd9570bb71b4c2fbe2cb2e2c2
AgentTesla
dc73db18861f1ce262fa73466eae5dc31134bd21a8fa6fd7c7918438c98209ea
AgentTesla
+ 5'699 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210608-mgkvzfrlra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/01f80cda-8923-4719-a989-68d1648aeaba/
SH256 hash:
2361d7ada4d3f32060f052d6a9eb147f88d84552ff83352658da0ed32034f61a
MD5 hash:
747bc1e83f9aa974f3ffb96abc6126fb
SHA1 hash:
5a925c6057e3407ff96d8d4cc2bb170957939ea1
Link:
https://www.unpac.me/results/01f80cda-8923-4719-a989-68d1648aeaba/
SH256 hash:
63b064d420f48849af7b7a9471adea56dbb07f3a3584ab462f8e210e957163a9
MD5 hash:
86f41dc4a15d3233b21b62beea72179a
SHA1 hash:
1931c42b1c011f84c4a197c4122b545940d772c4
Link:
https://www.unpac.me/results/01f80cda-8923-4719-a989-68d1648aeaba/
SH256 hash:
affc0b05066b707066143310ffac765065b7c7fdcd5d4319885681f730f90000
MD5 hash:
532490a88762e34f3f07466b4304b2fc
SHA1 hash:
bd9d0489dc48b4356b62736a033291166089e1ef
Link:
https://www.unpac.me/results/01f80cda-8923-4719-a989-68d1648aeaba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/affc0b05066b707066143310ffac765065b7c7fdcd5d4319885681f730f90000

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe affc0b05066b707066143310ffac765065b7c7fdcd5d4319885681f730f90000

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1319094/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165468/

Comments