MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1ec11ffefb1d9d29251fe84c8712c74c331d4172597f038112ecba875b38d3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	b1ec11ffefb1d9d29251fe84c8712c74c331d4172597f038112ecba875b38d3e
SHA3-384 hash:	243d403aabedc709b4fc9ead92f01b95be35ee8d3e93bd9362b610fb88cda31cab5f6fcab64577e21601eb3746c97d17
SHA1 hash:	cf9d2be86b1147d733b14a2bbc8e2dbdaacbbe80
MD5 hash:	b4e03449b6e1e8f8e073c69a73f9296e
humanhash:	undress-hamper-football-cold
File name:	nnz.msi
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	528'384 bytes
First seen:	2020-05-18 16:22:16 UTC
Last seen:	2020-05-18 16:43:47 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	12288:NEDsUCWpgut1Z5yfyD8Gz0Z8goPVv8LVGUPIM/8uI:NEDsbOvltQKg4voVG
Threatray	10'602 similar samples on MalwareBazaar
TLSH	69B4DF887650B29FC867CC72C9641C64AAA16C67570BD343A45331DE9E3EAEBCF111E3
Reporter	oppimaniac
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

2

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Mal.Generic-S.23678.162.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-18 04:06:09 UTC

File Type:

Binary (Archive)

Extracted files:

17

AV detection:

16 of 31 (51.61%)

Threat level:

2/5

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

04fd9df0e5ec9e9f2ddebfa497adbe3c57876dd52d8b778cee3701f21cf02986

4b8d62db8bc41db322d93e617367b302796f211080ca07d138699a2923aafb23

5a0097d91be843b78f66434a1035a1d2b2c7712b7a0b16d1004c1a9043327da4

a95bb180b0d9bb5f2a3b7974f8170fb18b6979a46cacfa352d769eccf428ebdf

bf54056eda237aa8972826e73687985609e3713c461c40c3c47ca231d7266783

c4fdfd3c5845ef7a537230b46564c1c81c139194f36097ce0b97b02e8a118dbc

cc089cef64153a919590030b102f07d0b64965411e5f81e5a125db77775b2bb2

d8e66bab8039e591aff2e2b55d77eda4fd3ac53c77d3c9c1f259db30e9f0008c

fa3ce577f3f1fff59835222b4a67d32900b0e49fb5d7f8bd0874dfc75092a2e4

ff3a44650dfcba5ccfa616d1311580e6e4f11eddabacf0758ed9a71f10c49bf4

+ 10'592 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-kydlxs2q6a/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Drops file in Windows directory

Drops file in System32 directory

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Enumerates connected drives

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

msi b1ec11ffefb1d9d29251fe84c8712c74c331d4172597f038112ecba875b38d3e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/364514/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample