MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b632282d2e46133203300355315a5ce12ecbe30201dc4dddcb66ce7b0e29c11f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	b632282d2e46133203300355315a5ce12ecbe30201dc4dddcb66ce7b0e29c11f
SHA3-384 hash:	3a6fb2361fadcef9092acff0e6d5e3195d22b6879f64229c42036ca30dd6633ddc876f976a8f52c8f5dab806461c33f3
SHA1 hash:	de0fb943e5d3f145de1e030c2f8cd77ff0733c16
MD5 hash:	c007e24adb3a4d1758a9957610ef1d5e
humanhash:	six-princess-floor-triple
File name:	P.O List (2).exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	220'160 bytes
First seen:	2020-10-12 10:04:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:SmQtLbo52Z0suEyeOqUhiTQWTT9q69jLaub1IDzru9i1qEL1q6qT9iyPYDLLOn:Sf+s0uURaT93nbm/epEp6RADn
Threatray	461 similar samples on MalwareBazaar
TLSH	2B242A1A6714D460CB9F537EC01A820831F1D707A72AD29F5AA6D8E91F832CDF90BCE5
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/70062/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/488299

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b632282d2e46133203300355315a5ce12ecbe30201dc4dddcb66ce7b0e29c11f/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-10-12 08:58:01 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wyzcqljoiyjteazqanktcws44exmxyycahoe3xolm3hhwdrjyepq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283

AgentTesla

493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927

AgentTesla

4edb29de31ea157d088eb234d39858fa290f681f509e79e7939ef5d055967304

AgentTesla

8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed

AgentTesla

8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11

AgentTesla

aa90926f50f27f99ae4c0001883be71b64dd0bb2f818cb39481f147f52a4658e

AgentTesla

bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828

AgentTesla

d4ad194829837ef26e4edc89c9a7bd0db40904f93517cdc137bc78176ef617fe

AgentTesla

dfa5e1f893c313deda7e7ea47512b756a21bba962e07cb21248b9abbdaadf3a4

AgentTesla

+ 451 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201012-jhpgfaebs6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

b632282d2e46133203300355315a5ce12ecbe30201dc4dddcb66ce7b0e29c11f

MD5 hash:

c007e24adb3a4d1758a9957610ef1d5e

SHA1 hash:

de0fb943e5d3f145de1e030c2f8cd77ff0733c16

Link:

https://www.unpac.me/results/7d015ee4-72d8-408c-89d9-cf532b63092c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b632282d2e46133203300355315a5ce12ecbe30201dc4dddcb66ce7b0e29c11f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.