MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba47f29c85e981cf2a9c11078c4f3fb6e0fcb42e894bf301f1522ca7148790f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba47f29c85e981cf2a9c11078c4f3fb6e0fcb42e894bf301f1522ca7148790f0
SHA3-384 hash: d7717c66d95cc8b4278109a64f1e9b460bee7b2a9e7010da4fc481d7a17a5f331669cb7d893526094cb78d21e416749b
SHA1 hash: c3e13d9bcbc7101e13b18315b0fe85c710a0c6c2
MD5 hash: c08042b160f9be90004776991a675aa7
humanhash: pluto-vegan-queen-tennessee
File name:Enquiries.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:960'000 bytes
First seen:2021-05-06 07:10:22 UTC
Last seen:2021-05-06 11:45:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:DXKxeayECYIL1SVapArjcsv9X4zyEolr1FhMohCoF/8TdxHtheac:jIeaSL1sGixpiyEylMO3BQxNheac
Threatray 4'544 similar samples on MalwareBazaar
TLSH 201537802666A19DD0613BBDA13134E003B8EE27F8E94DD7429C7B22FDFF9151FA1925
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151364/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713347
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405600 Sample: Enquiries.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 6 Enquiries.exe 3 2->6         started        10 newapp.exe 3 2->10         started        12 newapp.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...nquiries.exe.log, ASCII 6->25 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->51 53 Injects a PE file into a foreign processes 6->53 14 Enquiries.exe 17 5 6->14         started        55 Multi AV Scanner detection for dropped file 10->55 19 newapp.exe 14 2 10->19         started        21 newapp.exe 2 12->21         started        23 newapp.exe 12->23         started        signatures5 process6 dnsIp7 31 hosseinsoltani.ir 185.55.225.19, 80 SERVERPARSIR Iran (ISLAMIC Republic Of) 14->31 27 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->27 dropped 29 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->29 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 39 2 other signatures 14->39 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ba47f29c85e981cf2a9c11078c4f3fb6e0fcb42e894bf301f1522ca7148790f0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 02:34:32 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjd7fhef5ga46ku4cedyytz7w3qpznborff7gaprkiwkofehsdya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3bb4ba1af57ec635228b43c11b676612091f37e15b6578fca48e9a14195a9cd5
AgentTesla
8392af9cff73aab10a60befd359d4ca2638d6a936071285579147303bb453497
AgentTesla
89a79d6e08f22036f754947d43d1c5b6ba7865e246f462dedea0836dd748a8ea
AgentTesla
8ae7d31c639421a161679c972c59516da33ae3cd97ac6f81a5fc6c6d9c9169a8
AgentTesla
98a0f70bad8b8d6877acaa0ae9d7e70127126e815db3ac71ae3492309114b6be
AgentTesla
9bdd28e639ad1bd0bd8cab6e287279db86d951b1a488786c3435f7a5f39ac383
AgentTesla
cece846f69234defbd561899682dd1f687b8ed35ef5081a8a4cd3d7d8cbc7fe5
AgentTesla
dd4a9a91785a114c43e766fa5510586338863cfbae280b8158483522eed40152
AgentTesla
e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0
AgentTesla
e7f63ff5c5b933e940b344dd41e44224df5a554ad03dad40b54136eddfdeac9d
AgentTesla
+ 4'534 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210506-htjta92r5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
http://hosseinsoltani.ir/wp-includes/gu/inc/c8a002bdd798fa.php
Unpacked files
SH256 hash:
50ceb57eff14c9ff49598a02083be6ec8cfe175fa0ce8d200ebe0ddef1532f4b
MD5 hash:
f774d9272fa47984c6c215cf5c71ed7e
SHA1 hash:
96794cb276dfe07bdecdf95f6c949b1e3266a9e1
Link:
https://www.unpac.me/results/e597914c-eba4-482c-9413-449ac05bdedf/
SH256 hash:
ba47f29c85e981cf2a9c11078c4f3fb6e0fcb42e894bf301f1522ca7148790f0
MD5 hash:
c08042b160f9be90004776991a675aa7
SHA1 hash:
c3e13d9bcbc7101e13b18315b0fe85c710a0c6c2
Link:
https://www.unpac.me/results/e597914c-eba4-482c-9413-449ac05bdedf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba47f29c85e981cf2a9c11078c4f3fb6e0fcb42e894bf301f1522ca7148790f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151364/

Comments