MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b45255f1a1e65b5587343c0f9d7225ca1f60463379b0930404a25e6bcb95f77e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	b45255f1a1e65b5587343c0f9d7225ca1f60463379b0930404a25e6bcb95f77e
SHA3-384 hash:	152a266c7b4b5c13e469beef20deb5e7e5b7223f8f50b2587ddb836a29e9641b938f3550e2ae96199530f0a8fff3d0f9
SHA1 hash:	1ff91c32ae9b041432ec4bd0d767d1cf21ff54ec
MD5 hash:	a24dac4d8256edd53a1d28c89bf07a50
humanhash:	asparagus-magnesium-glucose-fillet
File name:	b45255f1a1e65b5587343c0f9d7225ca1f60463379b0930404a25e6bcb95f77e
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'815'552 bytes
First seen:	2021-05-13 14:30:07 UTC
Last seen:	2021-05-14 11:46:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:YoHSJgtdiOkJldvg1/nmlgivaEoEHlxm0xB:CYm3W1/mlPeEH3m0
Threatray	4'935 similar samples on MalwareBazaar
TLSH	19859E121F050F5DE43DABBDB436140A87F87E45F3E0EE5DB86939D827BAB028D46252
Reporter	madjack_red
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b45255f1a1e65b5587343c0f9d7225ca1f60463379b0930404a25e6bcb95f77e

Verdict:

Malicious activity

Analysis date:

2021-05-13 14:34:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b82ffe9e-1117-4666-80b7-902ea1ff0554

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/156229/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/781168

Signature

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b45255f1a1e65b5587343c0f9d7225ca1f60463379b0930404a25e6bcb95f77e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-13 11:06:13 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wrjfl4nb4znvlbzuhqhz24rfzipwarrtpgyjgbaeujpgxs4v657a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

73109a8da6ec06221d707955dce0ea93f17273ea582673f5d4cbd63ad20820fa

AgentTesla

76214b75099fe440b9639a0daa17ce9b49d1cf4193c5f3e429dac8aa1c555c60

AgentTesla

8fcf8f85c440832165b3a94aa1878a8b6db4089aa765d7a977e7b3a040c8f054

AgentTesla

9057936347c73028c880c06c0f41c373e3db3b75085f5b8da60966025c545d4b

AgentTesla

98a6ecb8694c864235818708fadba534563e4e6e7c2c48994c69499abdc35c77

AgentTesla

a10213876dda124a602a41a9b947e66ed8ad7e330b76596bdb0ab00b435aaded

AgentTesla

c70bf2aeaa6b9f644dadc0617debe3ec20671adc1e2ee8c60a8a932bf99e3c63

AgentTesla

cd33314417e59031e5fb210cd40ce59202160d1a711c9e55fe1c3b04dc7431a5

AgentTesla

d6ff339c056def1d5e03ecbfea9e55dbd8f556885b2fdcce27ddff7e040152c8

AgentTesla

+ 4'925 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210513-8ew8ljq2h2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	hancitor_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/156229/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample