MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b382b42614e7a63921206e861410e6a784ee732b95150e1dff4ee2111523eda2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b382b42614e7a63921206e861410e6a784ee732b95150e1dff4ee2111523eda2
SHA3-384 hash: 77402e433a4a91a1c02dd0a92bcdacc918d11a0ff32bf8dd1ff63ef14c6578e2b1443b633cccf1ec6d59a96dd1a9d52e
SHA1 hash: 117a9e52b7f0df9ce6cc3bcd2f50f52bf138e95b
MD5 hash: b4d59450f62237899fe4c2febcc1609b
humanhash: south-paris-october-eight
File name:K8V1x1HINmsMVgL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'058'304 bytes
First seen:2020-10-23 13:49:02 UTC
Last seen:2020-10-23 14:59:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'840 x AgentTesla, 19'772 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 12288:zonU5dicZCwZ4viOBPNIl7GFCpDcXUR4zL9hbVZ7+fGwhaEBttue:8kkc4viAk7GFCNwvhdmaO6
Threatray 760 similar samples on MalwareBazaar
TLSH F935CF017194DF01E27D5BF0E52855F14BF63C69EA2AD28B4DA2BCCE3A72F405A52B07
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75067/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop14.7038.5748.21086.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508163
Signature
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b382b42614e7a63921206e861410e6a784ee732b95150e1dff4ee2111523eda2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 01:46:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=woblijqu46tdsijan2dbiehgu6co44zlsukq4hp7j3rbcfjd5wra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2e1f23f4c8536a0f803f8d9f54e5d5c67a99aa2b0c44031d4ed743acd6003887
AgentTesla
3afb9252d528d667bbdf62a3e7a235615ad0814911ca4690505822cbda24c380
AgentTesla
46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3
AgentTesla
7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e
AgentTesla
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
AgentTesla
9254d3364f3dc1faec6f4f624e1c74f14ddfad19300eca7eb18a4a1a15cf4d98
AgentTesla
ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196
AgentTesla
b7adf1bb5628fd6ec0905e0d3f32c20c39f401ce845f73e15ce867aca4a531fd
AgentTesla
d03792e976baeea6547686ff0fe4ced755f9bad76ee6e3ff3c5f4adf93cbb0f8
AgentTesla
fbe762c8c464730d016cd2ef76955fe726f74abd031cea612d6a08bce2383a3e
AgentTesla
+ 750 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201023-2m51fh9wyj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b382b42614e7a63921206e861410e6a784ee732b95150e1dff4ee2111523eda2
MD5 hash:
b4d59450f62237899fe4c2febcc1609b
SHA1 hash:
117a9e52b7f0df9ce6cc3bcd2f50f52bf138e95b
Link:
https://www.unpac.me/results/e4b0b621-2834-46f7-8c5f-b0b1d2aefe4d/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/e4b0b621-2834-46f7-8c5f-b0b1d2aefe4d/
SH256 hash:
e4c5c061f1b98bf54877a42fed4f36c909cc074786ff6b18953aca67ff4045bd
MD5 hash:
42b66de56992f481ce8502e68ae184eb
SHA1 hash:
909e0139c09d30e8cd8db6c814181352cb2dd2c5
Link:
https://www.unpac.me/results/e4b0b621-2834-46f7-8c5f-b0b1d2aefe4d/
SH256 hash:
284f769899ed4a4c5470f81bbe2a353c2fe0f9eda23064ad618181ddc3cc0b52
MD5 hash:
97736e771702a3995f69545fbb143aa3
SHA1 hash:
d021b614eda8195e98b506f19e0c890d0fe80a5b
Link:
https://www.unpac.me/results/e4b0b621-2834-46f7-8c5f-b0b1d2aefe4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b382b42614e7a63921206e861410e6a784ee732b95150e1dff4ee2111523eda2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/75067/

Comments