MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b88873800d3b8f5dfc5bdf05009809efe725bbb8970cfb05cb6916452d4501a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	b88873800d3b8f5dfc5bdf05009809efe725bbb8970cfb05cb6916452d4501a7
SHA3-384 hash:	9c54ae551f35ae6129772a9efb6b2760c004dbd0986135199b81f502a97c2694e52b550e8bfe20ae7ab7f202d9941e69
SHA1 hash:	639e8ee368923a5d965685985353474fa35ad70a
MD5 hash:	7a40cd9e714745a9bce60e0d701561d1
humanhash:	coffee-alaska-one-enemy
File name:	SecuriteInfo.com.W32.AIDetect.malware1.17748.8352
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	234'119 bytes
First seen:	2021-07-21 00:57:57 UTC
Last seen:	2021-07-21 13:11:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d7cd0c2a85ac74a96a6bff797c472b4b (1 x AgentTesla, 1 x Formbook, 1 x SnakeKeylogger)
ssdeep	6144:SdhV2L14Nr5tesU+OCVM4cn6BbRfICRcGiCZnmB1OYiHH:4h014NrH1nBSxCyGiCtM1OYin
Threatray	7'116 similar samples on MalwareBazaar
TLSH	T11A3402B9434E4397EB13A239BB2CE676DBF5983522CF82321735358980D55C6A398B07
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware1.17748.8352

Verdict:

Malicious activity

Analysis date:

2021-07-21 00:59:47 UTC

Tags:

trojan rat agenttesla

Link:

https://app.any.run/tasks/f0e66a1c-aa84-4bcf-b3c8-92fdc2843ffc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/172909/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.17748.8352.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/87f123ac-3ed9-4b86-a24a-07adf24b47a5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/819273

Signature

Drops executable to a common third party application directory

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b88873800d3b8f5dfc5bdf05009809efe725bbb8970cfb05cb6916452d4501a7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-21 00:45:16 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xcehhaanhohv37c334cqbgaj57tslo5ys4gpwbolneleklkfagtq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0ec33a389aa412cdb6e7572d8ead37808814409609e423d67a9cf1f364d766fe

AgentTesla

678b3bcdba43bb32445d3088d4dd3ce9209a23381841830ab4c1ea8cb609edd3

AgentTesla

9118a3603bd00a677536dc8f29fe954ffb9d3479f29b9d0ddfe829e5d20d4bc1

AgentTesla

97176022ddfb3e4bf47b232755c82139220328a52e6e825ed783cdbdf3549757

AgentTesla

9c2582376fbfe87d35b10d515bc3f9668b545b461317035fef4fbde46926617a

AgentTesla

caef1c1bf021d8a6adbf6032e999aa68e1052014bdc8691dfbf182eeadc338f1

AgentTesla

cb39ca4eb7f5c23639bf05752a6e57f28346b35ad175845b2ed0a5caa019fe77

AgentTesla

d5269c737f5691eab59bcc8c6ba21a4ad0244e37d87c2fae38543ad15aa6707f

AgentTesla

dc5d2c1e1e0bbce8f84b0ef295b9187c98d514765c92ddb720ed17322789a09f

AgentTesla

+ 7'106 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/210721-vj8ddq8e8a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Unpacked files

SH256 hash:

0ea5f38a33714a857aa46a7dd180fd85fea2e0eb1e919671d13b2fb5cae5296e

MD5 hash:

fd759dd1bc9fd7410275b3241e033056

SHA1 hash:

1b54a28e2733bb327613d9b28faf52bd03cecefe

Link:

https://www.unpac.me/results/7fdd6355-e498-48c4-be6b-4c800a6296ca/

SH256 hash:

b88873800d3b8f5dfc5bdf05009809efe725bbb8970cfb05cb6916452d4501a7

MD5 hash:

7a40cd9e714745a9bce60e0d701561d1

SHA1 hash:

639e8ee368923a5d965685985353474fa35ad70a

Link:

https://www.unpac.me/results/7fdd6355-e498-48c4-be6b-4c800a6296ca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.63

Link:

https://yomi.yoroi.company/submissions/b88873800d3b8f5dfc5bdf05009809efe725bbb8970cfb05cb6916452d4501a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/172909/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample