MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b398017fa8cff6be081910379149989ac2880bd92e6b358148a847e3e40c3004. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b398017fa8cff6be081910379149989ac2880bd92e6b358148a847e3e40c3004
SHA3-384 hash: e78dd147a88e55972a594291e71d8af63fb71c901c3aded843e3a01c85585fe69d7218bac051518e0db06b33fef01ce5
SHA1 hash: cac43a3f29cfd2e7cccceac54d2b25f0f105b8bb
MD5 hash: 1e27e36682309281a9d675985e6eff0e
humanhash: lion-vermont-jersey-neptune
File name:1910202023102020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:636'928 bytes
First seen:2020-10-24 13:52:29 UTC
Last seen:2020-10-24 14:56:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:ebTMl7MZRf14PwGEXL0iZwlh2gsTl0zULkZ4viOBPNIl7GF:eU7MZRidu0XAgw1g4viAk7GF
Threatray 754 similar samples on MalwareBazaar
TLSH 23D4022036E56FA4E6BE4FF6253C450A83B2785F5A74C26C4CE533EE0A90F419B54E93
Reporter FORMALITYDE
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75204/
Detection(s):
SecuriteInfo.com.BackDoor.Bladabindi.13678.32023.31204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508631
Signature
Binary contains a suspicious time stamp
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303433 Sample: 1910202023102020.exe Startdate: 24/10/2020 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 8 other signatures 2->35 7 1910202023102020.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\...\SBweWZFTqkUZtf.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp8F1B.tmp, XML 7->21 dropped 23 C:\Users\user\...\1910202023102020.exe.log, ASCII 7->23 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Injects a PE file into a foreign processes 7->41 11 1910202023102020.exe 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 smtp.yandex.ru 77.88.21.158, 49742, 49743, 587 YANDEXRU Russian Federation 11->25 27 smtp.yandex.com 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 2 other signatures 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b398017fa8cff6be081910379149989ac2880bd92e6b358148a847e3e40c3004/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-24 05:51:20 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=womac75iz73l4cazca3zcsmytlbiqc6zfzvtlakivbd6hzamgaca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e7b2a38cabc39fe3fd5b546c03de814d8883434a01c921b2b4bbd1a9417564d
AgentTesla
20cc2227e88b4aee9a2e5afe27a2838fe1c1342f67f32c9eb0b278c2324afba6
AgentTesla
2c4f7516214ad84b31d2468ff496720193ea743bdb260287e2ef9ec48014b493
AgentTesla
419866e243e8c421e9ddaa512c0aaabb4454b57e684855d23576daa570a58957
AgentTesla
73daa7c456a2dc8ebb8b372c752253c4d70ee390e35cc37b25f56571d31143ca
AgentTesla
97f116dcd4a161a4265ccaf07dc12acec0e3e4a3af4216ba95f5f63c80a06fcd
AgentTesla
98f16bf7fd0d32ebf300230c3992712556f0bebc91678c4a6da74f7a900be68b
AgentTesla
bae353be3d64c66c76ca33280e436b02460497265e503b772db81c2e84971cba
AgentTesla
d5313cb45c7eafd84a3d91d1b94d98693556f528bdad1e420433aed0b54fcae3
AgentTesla
f740b4f32c0d32f5ee1525c3da775efdb4cc6535fc7ef372b373c9c67f32cd2e
AgentTesla
+ 744 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201024-va4r7r6b16/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b398017fa8cff6be081910379149989ac2880bd92e6b358148a847e3e40c3004
MD5 hash:
1e27e36682309281a9d675985e6eff0e
SHA1 hash:
cac43a3f29cfd2e7cccceac54d2b25f0f105b8bb
Link:
https://www.unpac.me/results/3ea155dc-2007-4b67-8df4-af789c41fafb/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/3ea155dc-2007-4b67-8df4-af789c41fafb/
SH256 hash:
f12d9f54ea3ebd13f9ab88691bad8e5593fdab3f1480a0c50103b752ead83aeb
MD5 hash:
bf4c0ab1af88114f84cd5bf816e5aa3c
SHA1 hash:
2c4d0b58924b7c9cf8e75e2f5bf17447ce1cfbfc
Link:
https://www.unpac.me/results/3ea155dc-2007-4b67-8df4-af789c41fafb/
SH256 hash:
3675882133402f31437e3ef46d268bdb6a8fe804ec5aa9e94aefcd449e61e16a
MD5 hash:
68ca6b6d6dcf8036a975c6dc9545570f
SHA1 hash:
9fa02efc780a519aeafe047989bc209ffdbf1be2
Link:
https://www.unpac.me/results/3ea155dc-2007-4b67-8df4-af789c41fafb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b398017fa8cff6be081910379149989ac2880bd92e6b358148a847e3e40c3004

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b398017fa8cff6be081910379149989ac2880bd92e6b358148a847e3e40c3004

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75204/

Comments