MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c831c5bd72fe678827448b378fb51fe9a9445642579a39bbe8f36ed55b1441f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	c831c5bd72fe678827448b378fb51fe9a9445642579a39bbe8f36ed55b1441f6
SHA3-384 hash:	c09d60baf0f87f6b03d705048f19e66799671029c0db505a552a775e1d9cd365a6c6b6422b7a507f4334015ec749f742
SHA1 hash:	2f33482678ece6e453ab47eee0769a56509fd7f6
MD5 hash:	1bf862edc68c6e664d41aa8b7cbb434d
humanhash:	twelve-beer-queen-hamper
File name:	Price.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'058'304 bytes
First seen:	2021-06-18 05:40:47 UTC
Last seen:	2021-06-18 06:47:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:6Ehlm4S4F3M9yESMPQipP599kew2GLBurKIDJNwGevMm84zZEVhHQcSLQqf:xWkip6jRLBW38GevwSEXHB
Threatray	6'182 similar samples on MalwareBazaar
TLSH	E535AF221ECF422EE1768FB557B0BC8782B76E663605E2153DC0329DCA33599CDDE522
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Price.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-18 05:44:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c02b60bf-acb5-4ea6-b40f-04667b038b3a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/166721/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.851.525.11757.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2358a9a9-8a1f-4bc2-beb5-f69b5cf99de3

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/804098

Signature

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c831c5bd72fe678827448b378fb51fe9a9445642579a39bbe8f36ed55b1441f6/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2021-06-17 21:25:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zay4lpls7ztyqj2erm3y7ni75guuivsck6ndto7i6nxnkwyuih3a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2357a2cad3fa915263036c5d9de8e77927115db4f07f90934d2335dda3bf22ee

AgentTesla

3daf49b81d1c57e27736ae2a02507ba5db772fc23e27fc452d6f8527f2afe7b1

AgentTesla

5ca45778c78ee6461fe3088afcefa5969db93817857e1dc2a7209912ba9b09ae

AgentTesla

640857d027059d3b44417bc66b120b8c0841d7d7a072aa458b4be41a9e58b92e

AgentTesla

9cf0ad120d6b3b0c632047d9963328e6afd535786a89108df10c6e8777c14531

AgentTesla

ae44346a0297d8a9deab5419ff2b4679b83646abbed05b835c90fc33eb3ce2d5

AgentTesla

d38bb1b3101c884a76c74e28a10ad25c0eb60b5fab41985a447bae62c1af2085

AgentTesla

e5ea618e1c51b6f724e1527d81465fb53693449199b768bacc62d0caca5c1fbc

AgentTesla

f74cdb3b1d0e2e2959326ae6d3c24b8dd1b74fee0258b96ae8a6b69a8c6efcff

AgentTesla

+ 6'172 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210618-9rfpzsyazj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

8e8cbf4a5b194908657cbe674c137cdfd0447d43e2fc40318fd2636d9c87c051

MD5 hash:

d6b12689b6d18879bd31adc4c585bbcb

SHA1 hash:

fb476310e8521bee22331c66489d80f4693e8a3c

Link:

https://www.unpac.me/results/ffe52348-1fa5-470c-b893-d0af21fb5a61/

SH256 hash:

c831c5bd72fe678827448b378fb51fe9a9445642579a39bbe8f36ed55b1441f6

MD5 hash:

1bf862edc68c6e664d41aa8b7cbb434d

SHA1 hash:

2f33482678ece6e453ab47eee0769a56509fd7f6

Link:

https://www.unpac.me/results/ffe52348-1fa5-470c-b893-d0af21fb5a61/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/c831c5bd72fe678827448b378fb51fe9a9445642579a39bbe8f36ed55b1441f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.