MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beab19e796d64d3fb25a343dab92efc44fde8f34bc2398fa381c22763cb47cd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beab19e796d64d3fb25a343dab92efc44fde8f34bc2398fa381c22763cb47cd0
SHA3-384 hash: 7faad924086781a2e8652213fceb1825689eb4b1a2c94c8b1300fb83c14cb9876cde7bbbd5b7dd2ba7b1e3f29b3693f9
SHA1 hash: 4295081558bd2a608d8e9b2ce0e395de128abb78
MD5 hash: 8c9f13296b6e3260d9ca9f7254bd46a7
humanhash: tango-whiskey-sweet-glucose
File name:Curriculum Vitae Rita Molina.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'459'200 bytes
First seen:2021-07-07 13:32:11 UTC
Last seen:2021-07-07 14:47:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:VPTDaIMVjLz7TkqiOcez3gVZsZZZsZEJsDsr5bx9Vpw7g3UAVHLFNMSF9WPl7k9d:aiOlaD4lcZArNM4IwxOsnpD
Threatray 6'466 similar samples on MalwareBazaar
TLSH 75659E3576729F91DD7FC7384331D13C4FB4AE66E207E67968E8789B24B0B810A16623
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Curriculum Vitae Rita Molina.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 13:35:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4180e768-fbcf-498c-b89b-5becfbc74974

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170209/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.27013.26620.26126.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d1c05af-7d94-4b5b-b4e3-e170600863a3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812898
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/beab19e796d64d3fb25a343dab92efc44fde8f34bc2398fa381c22763cb47cd0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 11:41:42 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2vrtz4w2zgt7ms2gq62xexpyrh55dzuxqrzr6rydqrhmpfuptia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0163f04792cbec67b028f5deb577699dc4c645308d702da0e555cf325f043d53
AgentTesla
2c843e853f219d3351e07f0474118c2edf970b3d4f90d3e0f5a9e6298e3ca494
AgentTesla
3914a1dd5bbef9edeceffa718d5006dce7347b1a3019b452ce754605c0e32e2e
AgentTesla
72ea41f7ce02b41072d1dce424f9e4a2a7c9e414c1038d26a11f685a3371473e
AgentTesla
8a0ad791edcb0ee362e6013e5b86204205b5869aae17294f14047ed26f1dddd2
AgentTesla
996474e9de0e7a9ac180577488e2d3603eef101a84f1b04400681ef28fd7240e
AgentTesla
a6d3022b85a06e7711cf0a95786517d098852f39687134c70cc0a718c57b5016
AgentTesla
bbc58c383af4cec887ff89c326d694c9ece8b4f786577d1b1a2c3497fc58e052
AgentTesla
bd85d30840bc092fb71a2dcba02260d06925468adfa5bf239248f1fb159e7a9f
AgentTesla
e31877ea4f4cd6511438c4015e6eedbbc1d9c4114047927c860a2352b2002fa0
AgentTesla
+ 6'456 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210707-sjdn98lc8a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/97822523-59ae-44e5-b954-d78c9eb374c5/
SH256 hash:
77aae8017062f50da5b59dda4f17a38a33b11eddc8058bf10c81cc1f13117b41
MD5 hash:
23c72480f94231b2df79b74346674926
SHA1 hash:
674446df2d92d7d7755bb1d5f7d64eb729bb2d38
Link:
https://www.unpac.me/results/97822523-59ae-44e5-b954-d78c9eb374c5/
SH256 hash:
01c83f61fc1b75818ae0914a2249022279087190628824e962b2f03fc8c87028
MD5 hash:
9a69c377c25c5bd1b4578ef9404f04af
SHA1 hash:
4d90a5e36e6a7924a15a31cfb7665474207673d4
Link:
https://www.unpac.me/results/97822523-59ae-44e5-b954-d78c9eb374c5/
SH256 hash:
beab19e796d64d3fb25a343dab92efc44fde8f34bc2398fa381c22763cb47cd0
MD5 hash:
8c9f13296b6e3260d9ca9f7254bd46a7
SHA1 hash:
4295081558bd2a608d8e9b2ce0e395de128abb78
Link:
https://www.unpac.me/results/97822523-59ae-44e5-b954-d78c9eb374c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/beab19e796d64d3fb25a343dab92efc44fde8f34bc2398fa381c22763cb47cd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170209/

Comments