MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c769e0bfc0a06d78d730b40317af967f5aa12b395f5e48f3479e95014d0de978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments 1

SHA256 hash:	c769e0bfc0a06d78d730b40317af967f5aa12b395f5e48f3479e95014d0de978
SHA3-384 hash:	4f44c37dc1be09f01b2b7161001f92091541fe29f29e26e43fa2b37c3fd4f03bc5c1adc54caf69444f1dc4664f599840
SHA1 hash:	8b632f1eefbc46f0e6a85f16484919b724a94ea4
MD5 hash:	acdf6c2c51f143157a65212ef2d99389
humanhash:	mars-alabama-georgia-nineteen
File name:	acdf6c2c51f143157a65212ef2d99389
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	581'120 bytes
First seen:	2022-04-28 07:16:48 UTC
Last seen:	2022-04-28 07:42:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:99LWJeubuyfzD893A19yrN6+V9IoZaon0E+:rQxnz706FoApE
Threatray	16'787 similar samples on MalwareBazaar
TLSH	T1ABC41251B26D0F6AC9BFABF42414612003F27E9A3421D74F8EC6B5EB582AF141F61B53
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/267471/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39572873.23162.29972.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/626a3f88d2a90e9f3a215102/reports/b69bdee6-bd2f-4734-9c7d-6b49a69331bc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7eb26461-a3f6-4f69-b0e7-422e970843f7

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/984601

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c769e0bfc0a06d78d730b40317af967f5aa12b395f5e48f3479e95014d0de978/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-28 02:21:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y5u6bp6aubwxrvzqwqbrpl4wp5nkckzzl5per42ht2kqctin5f4a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

31db1eaded87c877869d4c247c2da6fa3be4de4f8bcaebf61f499c50275345d6

AgentTesla

47e624d45a20608d4d50c5776a458ce37f60acfc43e2b70bfaa650336ed6b649

AgentTesla

4b0f3abe3b0c7a9356687b4c29c68f9bab4247ca92cf5c37b42eec2881d3d2ec

AgentTesla

6ab30070b29a4095465e89dbc1a4b0788625565aa7608973b274aadd715b5db1

AgentTesla

d73763f8b8d4eb91dec386eb7a2ebf9a8a9b40c6b028d57e6144ed74551d460b

AgentTesla

+ 16'777 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer suricata trojan

Link:

https://tria.ge/reports/220428-h4clhafdfl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

suricata: ET MALWARE AgentTesla Exfil via FTP

Unpacked files

SH256 hash:

90b96882552bca5367115c4d05c8f6995b1f049af02e97d2c66567658ec7ddc2

MD5 hash:

ed56a085d384617c96c6b9bea7230b91

SHA1 hash:

1a47339c519212e230cbf329ae27c93af900b7cd

Link:

https://www.unpac.me/results/dc2b568e-c680-4512-be52-6e9a48b0f105/

SH256 hash:

e93f3a824397444c8f8ad30d38d2fe52c3c3882c2214d5eb0435e70f3c4e9eb5

MD5 hash:

290df6a1f34a64478b145c418d2a369f

SHA1 hash:

3ef19faf95ae4dce2e01a4e5006982ae20e4749d

Link:

https://www.unpac.me/results/dc2b568e-c680-4512-be52-6e9a48b0f105/

SH256 hash:

a8a5a00fad317d86f1a9941df3b238633b288e66afed810dbb67ef748e697ccf

MD5 hash:

932a6a7f0e9c3be6e72c667b1ca86ecc

SHA1 hash:

4ca149e89e1cd681f001ce7fdce62b1ca5da804c

Link:

https://www.unpac.me/results/dc2b568e-c680-4512-be52-6e9a48b0f105/

SH256 hash:

92fc621e886ad486195efe1b074a5186c27599e3dd4d71c72cae3078b8660ae2

MD5 hash:

e80503550a2aa077f62f09c7dc6be7e4

SHA1 hash:

f93e86c149eac50b611a1f9a7b59f5d81026262c

Link:

https://www.unpac.me/results/dc2b568e-c680-4512-be52-6e9a48b0f105/

SH256 hash:

c769e0bfc0a06d78d730b40317af967f5aa12b395f5e48f3479e95014d0de978

MD5 hash:

acdf6c2c51f143157a65212ef2d99389

SHA1 hash:

8b632f1eefbc46f0e6a85f16484919b724a94ea4

Link:

https://www.unpac.me/results/dc2b568e-c680-4512-be52-6e9a48b0f105/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c769e0bfc0a0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c769e0bfc0a06d78d730b40317af967f5aa12b395f5e48f3479e95014d0de978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe c769e0bfc0a06d78d730b40317af967f5aa12b395f5e48f3479e95014d0de978

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2168788/

Cape

https://www.capesandbox.com/analysis/267471/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-04-28 07:16:51 UTC

url : hxxp://107.175.212.60/a/vbc.exe