MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87496adef518762cc306678879a6388e4dd08a86f1c7c55ac3ddedd65e19267. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	b87496adef518762cc306678879a6388e4dd08a86f1c7c55ac3ddedd65e19267
SHA3-384 hash:	232833621dc34ab270d05286382ff9196b551c776795ab5318f87843017e987e0a2a4dab0895cf3899279af46a8b23fa
SHA1 hash:	672cdf073db5aa637572848bb2f6fd9a0a8c8ebc
MD5 hash:	bddd312aa24da8bf54b1c464f4d924c2
humanhash:	paris-berlin-seventeen-twenty
File name:	wOJ9BroUUOSJerB.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	757'760 bytes
First seen:	2021-08-16 09:50:46 UTC
Last seen:	2021-08-16 15:00:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:M7YZ0Mh9H2OI2Y+YdlpZiV+dlZHVh3bU4wb1c62y5JOEPpBja:WG069WOoFlTJTxnLU4wbJHPi
Threatray	8'461 similar samples on MalwareBazaar
TLSH	T117F4B07071E78A96F51F4A742578BD5403B231F3A9C699391B1A214ACFEDE983F4820F
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

wOJ9BroUUOSJerB.exe

Verdict:

Malicious activity

Analysis date:

2021-08-16 09:53:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/90389196-4d59-4c9e-9711-4c8bbdf9aaf5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/179493/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8dc12afb-c65b-4f4d-9015-a5a1d8dbad95

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/833428

Signature

.NET source code contains very large array initializations

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: SAM Dump to AppData

Sigma detected: Suspicious PowerShell Invocations - Specific

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b87496adef518762cc306678879a6388e4dd08a86f1c7c55ac3ddedd65e19267/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-16 07:30:09 UTC

AV detection:

13 of 46 (28.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xb2jnlppkgdwftbqmz4ipgtdrdsn2cfin4ohyvnmhxpn2zpbsjtq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

415b10893472bbb91cdb899737b006432302503b58352998f503745b1471e601

AgentTesla

4f6d66cea6a8dcd4a29089e58d5adc3858445d4bba816fb2aa6ebc9cecfea68b

AgentTesla

5269e07c6514d9e79439746e25f0e44d6ddcec1bc5699cc75eab982a04ba8767

AgentTesla

64550a0d3d1c28b1ec50006327a707b7287997aa7ca146153440935a033ccb97

AgentTesla

6f0a6315305a918cfaa7ec77275bd65a0acddbbac8b631ffe4dfb846a057a607

AgentTesla

8b7c8b471a0f5e45026d07fabae3eb68f7251d066830cd68e7cf5a7fd342e13b

AgentTesla

8f28eb3a5a98a63955599167bc56f778544421f9e96fbb5502caa37e954db0fc

AgentTesla

b0ceb69b666e841d84421dac62ca763d5fcc4621511527a3bbf83a72fdf5520e

AgentTesla

f9dc8d66ab3eb2ecf3a55276d8389ca7b688d78cdad725fd762714e311efd02f

AgentTesla

+ 8'451 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210816-8klcqlr3q6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/0ea39f0b-3a1b-4ec4-be47-0d38430d90dc/

SH256 hash:

885c05665d62d28c80eb89dfd1485f18f1162c3b9e7722436876bb1944103fdb

MD5 hash:

3ae33a5eaee82be9a4a1c52719df5b17

SHA1 hash:

bf1701b4dc5144a3391ea6e690b3c252fdf4a296

Link:

https://www.unpac.me/results/0ea39f0b-3a1b-4ec4-be47-0d38430d90dc/

SH256 hash:

763fe93912efa74d402e44b2fb08c4dd062dc2619d3bd25494dfd5b1c710511d

MD5 hash:

3d1cf289681ab9c851e4590a266b62b3

SHA1 hash:

73363646559080eff48d2c5199747f5bb9403059

Link:

https://www.unpac.me/results/0ea39f0b-3a1b-4ec4-be47-0d38430d90dc/

SH256 hash:

b87496adef518762cc306678879a6388e4dd08a86f1c7c55ac3ddedd65e19267

MD5 hash:

bddd312aa24da8bf54b1c464f4d924c2

SHA1 hash:

672cdf073db5aa637572848bb2f6fd9a0a8c8ebc

Link:

https://www.unpac.me/results/0ea39f0b-3a1b-4ec4-be47-0d38430d90dc/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b87496adef51/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b87496adef518762cc306678879a6388e4dd08a86f1c7c55ac3ddedd65e19267

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179493/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample