MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8
SHA3-384 hash: 041ac5b543031c0db3b06c2e7e4bf79b72441e5b304c174ee2f2c771e9a97c8e416487a1a56f28545301566f10a5e623
SHA1 hash: bf92e1cbe2a83aeaa847df5bcbd7c6bbe9e0d02e
MD5 hash: b9d4dcc2449263aa0a291da8dc8a9b19
humanhash: music-juliet-lithium-tennessee
File name:b9d4dcc2449263aa0a291da8dc8a9b19.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:462'336 bytes
First seen:2020-11-23 16:07:45 UTC
Last seen:2020-11-23 18:19:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YOXe8TNrtSKc7/iAUP9Nfri3GbrJlt8LF:YObTNrtSv7aAUPvri3GbrJj8
Threatray 1'451 similar samples on MalwareBazaar
TLSH 97A4F17552E6AF85E7BA3E7490B026441FBA7DABEB30D90C7E8801D92075B48DD04F36
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://successlink.co.vu/hfc/inc/a40b27b5d680f3.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545329
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321755 Sample: NoiUFFfAOH.exe Startdate: 23/11/2020 Architecture: WINDOWS Score: 100 38 g.msn.com 2->38 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AgentTesla 2->56 58 Yara detected AntiVM_3 2->58 60 5 other signatures 2->60 7 NoiUFFfAOH.exe 3 2->7         started        11 xQxAsve.exe 3 2->11         started        13 xQxAsve.exe 2 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...36oiUFFfAOH.exe.log, ASCII 7->36 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->64 66 Injects a PE file into a foreign processes 7->66 15 NoiUFFfAOH.exe 17 9 7->15         started        20 NoiUFFfAOH.exe 7->20         started        68 Machine Learning detection for dropped file 11->68 22 xQxAsve.exe 2 11->22         started        24 xQxAsve.exe 11->24         started        26 xQxAsve.exe 11->26         started        28 xQxAsve.exe 11->28         started        30 xQxAsve.exe 2 13->30         started        signatures6 process7 dnsIp8 40 successlink.co.vu 72.9.135.10, 49715, 49733, 49735 NETROUTING-ASNL United States 15->40 42 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.42.25, 443, 49734 AMAZON-AESUS United States 15->42 44 3 other IPs or domains 15->44 32 C:\Users\user\AppData\Roaming\...\xQxAsve.exe, PE32 15->32 dropped 34 C:\Users\user\...\xQxAsve.exe:Zone.Identifier, ASCII 15->34 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->46 48 Moves itself to temp directory 15->48 50 Tries to steal Mail credentials (via file access) 15->50 52 4 other signatures 15->52 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 16:08:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfqbqz5j3infdzm537dmduwuzltrsckfzpawhiceacq3fodsv3ua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13dcde3e9c6f160ab11c94f84aba6b7a1b802126258e59f872fd1ae61ce8ff64
AgentTesla
157b42dd922668eb28d3279b6d246e632d76dc0e5b1b033cbd4b394beab739e3
AgentTesla
1d4629f9ef456b0d63a51442a9d19597baaafe09ec18ca734e9a6c8a8e818028
AgentTesla
1d6004838e32ca7b5763964c99d3c92fc591c7b21d0de3595a7da27794ec5ab6
AgentTesla
3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1
AgentTesla
4231c38aadd1c59f0270408e841f773c1e17bf1e45f02d20f440d1c82413ec5a
AgentTesla
486d7c96b47e6a1278f06601b3cfb146a2a453cf2b4658036f4a392298195bf9
AgentTesla
7b3834838c8089d4af4508d5961ea134c7ae331dfe350381f38fb6ffda679726
AgentTesla
c1823f0befbdf02c1275d0641e142aeebc8d70d9dab04816ada7339da23061e2
AgentTesla
db5e220fcf9c0a4f920ffae85664ea17a2dab6ab8b279754f7057e45995c0b6d
AgentTesla
+ 1'441 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201123-7nk5epybv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8
MD5 hash:
b9d4dcc2449263aa0a291da8dc8a9b19
SHA1 hash:
bf92e1cbe2a83aeaa847df5bcbd7c6bbe9e0d02e
Link:
https://www.unpac.me/results/b6bb06bd-490c-4e74-a5cc-693045083eb3/
SH256 hash:
ee4d96f4a9c5a8d0030cf5a04ec55b71a70c4a7632f752f1f90560312b408c38
MD5 hash:
018938a3a02996f7708372f5bfa4dde9
SHA1 hash:
2d85853e1b9ef9bc9361dbc987690d5cdab1d15f
Link:
https://www.unpac.me/results/b6bb06bd-490c-4e74-a5cc-693045083eb3/
SH256 hash:
3b6b2415894c06ebbede41ed7f6db931f55934fc9f715c6f79e791a8e8850129
MD5 hash:
2c4dd99b1e80bd2ea7104cfef236f18e
SHA1 hash:
74d24e5339d23e40ecb9a1ef7f8ca619a4697bd1
Link:
https://www.unpac.me/results/b6bb06bd-490c-4e74-a5cc-693045083eb3/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/b6bb06bd-490c-4e74-a5cc-693045083eb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/846723/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105320/

Comments