MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527
SHA3-384 hash:	cea40c6cda310aa802e56ea56b5fa1153a05b021910b0d64e6f6f6a082e8dc531d0cb4e4735dda4b59c10a201d565dce
SHA1 hash:	78457dd57a2d02ee3ad5f30991554748dc83b54d
MD5 hash:	aaa1cad7ab1ea19b3ba4ac15422e0cad
humanhash:	glucose-ceiling-foxtrot-mike
File name:	Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	831'488 bytes
First seen:	2021-03-17 12:18:17 UTC
Last seen:	2021-03-17 13:46:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:O4gO7+vcqMaQrB4vNdmDgFmHI7X2mgkbq8XO49M2Ewye24pGZRrmIF4HLN0PT:XocqVQrENdCmH/b7X35Eg24pQsIFy0
Threatray	9'945 similar samples on MalwareBazaar
TLSH	9005F14DB6556323C64A03BE15DA78C0E73AA5AA1E11FFF0189940DA1623B71C5A33FF
Reporter	madjack_red
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-03-17 12:21:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d6560ed1-b0cb-468c-ad99-2c65493f73fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/124540/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36520381.24607.15107.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/642209

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-17 06:56:32 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wkonvms7ipe4ohxxwezlgbsowusd5axtxxrkzvwn2sfcjtzq4utq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1328e0030337b326a962b3369cc8dd2b474de98267e8e9fdc3684f4e5ecb9984

AgentTesla

13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5

AgentTesla

50cbc0b693b4204caf169db073592dc53b8b1c21b9e71a640ee79692918cdcef

AgentTesla

516b29be6f0d91a249adca2b26381bfa5b90cf6a643d1b621095c6425a74795b

AgentTesla

602539024550629c94790807ab0f6b99379a53767b14375963e64b71a2185408

AgentTesla

9b71ca5e5e3faf0bd77b6f6d370d5aa32dffd3e2019b15624a544487895f82f5

AgentTesla

a9103ccf2939a9a9b54d8c50aa993af6fcf3ddda4e0491f1987fe09a83f98ab3

AgentTesla

d17de71fad23c19ea4e181c8fe33be0fc230d15be13e6d3c755c77e7ff1519d5

AgentTesla

e49644244645c3be9ab057acc1f3f84c12a066bc570529dff3842c2c6f5d72aa

AgentTesla

+ 9'935 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210317-jtphwq1k5a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

4336f33abd4868cb2547151ac21ed6bccce97f5ddf4e3f7a17176abd930a5010

MD5 hash:

72cce92723be5ff1b387ff655d4f84ed

SHA1 hash:

c3b26c6c4839874f0a4f12ecea19ac891ee295f7

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/4d0c1080-9757-4833-ba23-1938103aecb8/

Parent samples :

13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
e49644244645c3be9ab057acc1f3f84c12a066bc570529dff3842c2c6f5d72aa
b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527
63ffcd2680423128ba007fc38937dce83f0c4466f65e4f1021e84287b990c422

SH256 hash:

1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc

MD5 hash:

8f85df46a482b5b068ae7667bf1a33d6

SHA1 hash:

a210d369311aa4d709dc962c634174738576907e

Link:

https://www.unpac.me/results/4d0c1080-9757-4833-ba23-1938103aecb8/

SH256 hash:

7a9a9af44f81f6d9b972e7388f5f6d8cc54b45f1e2ae24c387f555f73bd52dfe

MD5 hash:

ea5ed48f2ff7864940458fc46410fec3

SHA1 hash:

11509e4e1ff1c9bd6417e6cb929b21df1b1f0f6e

Link:

https://www.unpac.me/results/4d0c1080-9757-4833-ba23-1938103aecb8/

SH256 hash:

b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527

MD5 hash:

aaa1cad7ab1ea19b3ba4ac15422e0cad

SHA1 hash:

78457dd57a2d02ee3ad5f30991554748dc83b54d

Link:

https://www.unpac.me/results/4d0c1080-9757-4833-ba23-1938103aecb8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/124540/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample