MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1dd71be684f65897eafa065803b1212a443f5de52bce8242c3136b40ea1e9ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	b1dd71be684f65897eafa065803b1212a443f5de52bce8242c3136b40ea1e9ba
SHA3-384 hash:	3cc221a9f660bda4bd36d889b294e749bf7037f10c61c30eb67888ed9cfcfadc2d650a8597a1477bcb6af7f1cf33e03d
SHA1 hash:	22920b381e7bd8655337b5b5ae40884aaf817231
MD5 hash:	ded7729e03e0b44db550529e4872b334
humanhash:	item-pip-video-india
File name:	184285013-044310-sanlccjavap0003-7069.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'199'104 bytes
First seen:	2021-07-01 12:35:48 UTC
Last seen:	2021-07-12 19:04:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:Y/gJhzhpLb71W75tUkJanTfGQgsVWCLlQ4h5:Y4Jhzh5b71ettyVgoO4h
Threatray	6'590 similar samples on MalwareBazaar
TLSH	5445D00BF705AA45C5682239DCFFC1B413B5ED8B7C528B0B3A987AED3C72652CD512A4
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

184285013-044310-sanlccjavap0003-7069.exe

Verdict:

Malicious activity

Analysis date:

2021-07-01 07:24:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e2d753d6-f924-4f8e-90cf-ad1d5d156c8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/169153/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.868.15750.17512.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc27ac1b-a165-4ad9-8036-41571277c74e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/810397

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b1dd71be684f65897eafa065803b1212a443f5de52bce8242c3136b40ea1e9ba/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2021-07-01 04:51:28 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=whoxdptij5sys7vpubsyaoysckseh5o6kk6oqjbmge3lidvb5g5a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

22637e06185c1729dc491bf0d47763f8e549ae5a16223b04579240a0bbfa9f1f

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8

AgentTesla

69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c

AgentTesla

8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f

AgentTesla

c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4

AgentTesla

cbf9d4ef21092210f58ad0cbdd4753dbbf785387dd8f3001014672679196c65c

AgentTesla

d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad

AgentTesla

f5a8b50ac13f3ecea0bf447a41128d06f1409689fe95d611574e51ea435c75ca

AgentTesla

+ 6'580 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210701-8ra8f3a7aj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

30d205189cfdf9f53d7b2caf741f6fb50c4d723d4956b304b9f4972296cb2fb2

MD5 hash:

83ad5af6deddf015ce8f110842125b7e

SHA1 hash:

53ea450ac91b1c63abfb6ae4a67d4bfaaa475ace

Link:

https://www.unpac.me/results/d79886a3-871a-43c2-b5eb-681bb0a29e08/

SH256 hash:

d4adc0093f8a0de7ada84015c8868a8c4028ea558265acf6dbda452177d5bbec

MD5 hash:

7ae56e289e41b6812b74db5773c5d0da

SHA1 hash:

2f073196204302003b11119bd456159a11f1189a

Link:

https://www.unpac.me/results/d79886a3-871a-43c2-b5eb-681bb0a29e08/

SH256 hash:

1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec

MD5 hash:

81faf15c7e3c9446d906659f7c7a9f16

SHA1 hash:

d7e05a22b109ce608109dc509029a7fe22b4b8bf

Link:

https://www.unpac.me/results/d79886a3-871a-43c2-b5eb-681bb0a29e08/

SH256 hash:

b1dd71be684f65897eafa065803b1212a443f5de52bce8242c3136b40ea1e9ba

MD5 hash:

ded7729e03e0b44db550529e4872b334

SHA1 hash:

22920b381e7bd8655337b5b5ae40884aaf817231

Link:

https://www.unpac.me/results/d79886a3-871a-43c2-b5eb-681bb0a29e08/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1dd71be684f65897eafa065803b1212a443f5de52bce8242c3136b40ea1e9ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/169153/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample