MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd34053691fae92e42fc3836d8d93844b8c6f43a0c0bf826a935efafea693e7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd34053691fae92e42fc3836d8d93844b8c6f43a0c0bf826a935efafea693e7e
SHA3-384 hash: 25324e98af35c254c7794667e3422fd696663fa174c23797297488bce2aa94dc74ee4b6c989d60f6fadb220a8a7a870c
SHA1 hash: 03b540ff7d64c6905abcd9f21589ef23c8310bae
MD5 hash: 40345c68c62dba56843c4650a408d2f7
humanhash: iowa-sodium-jersey-carbon
File name:40345c68c62dba56843c4650a408d2f7.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:21'880 bytes
First seen:2020-10-07 10:37:07 UTC
Last seen:2020-10-07 12:24:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 192:Ct37oxlVJ+ZWfZ/xlrLAbJlePm3ecrcYcgc1cJclNxYFr6cmHukdsKx0/E04bIjL:s3M7/+YZ/xtAb13OYFGcAd5X0FDgf2hX
Threatray 364 similar samples on MalwareBazaar
TLSH C6A2959D628C0E27E9ED633C18E3490107F0A5A32670CB7E26F653D56BA22C21E57ED5
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.big3.icu:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68880/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483982
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294434 Sample: tgbwPl3ul5.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 62 pastebin.com 2->62 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected AgentTesla 2->74 76 4 other signatures 2->76 8 tgbwPl3ul5.exe 24 6 2->8         started        13 tgbwPl3ul5.exe 2->13         started        15 tgbwPl3ul5.exe 2->15         started        17 tgbwPl3ul5.exe 2->17         started        signatures3 process4 dnsIp5 64 pastebin.com 104.23.98.190, 443, 49724, 49743 CLOUDFLARENETUS United States 8->64 66 192.168.2.1 unknown unknown 8->66 58 C:\Users\user\AppData\...\tgbwPl3ul5.exe, PE32 8->58 dropped 60 C:\Users\...\tgbwPl3ul5.exe:Zone.Identifier, ASCII 8->60 dropped 78 Creates an undocumented autostart registry key 8->78 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->80 82 Creates autostart registry keys with suspicious names 8->82 88 2 other signatures 8->88 19 WerFault.exe 8->19         started        22 powershell.exe 24 8->22         started        24 powershell.exe 25 8->24         started        34 4 other processes 8->34 68 104.23.99.190, 443, 49731, 49741 CLOUDFLARENETUS United States 13->68 84 Adds a directory exclusion to Windows Defender 13->84 86 Hides threads from debuggers 13->86 26 timeout.exe 13->26         started        28 powershell.exe 13->28         started        36 2 other processes 13->36 30 timeout.exe 15->30         started        32 timeout.exe 17->32         started        file6 signatures7 process8 file9 56 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->56 dropped 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 2 other processes 34->52 54 2 other processes 36->54 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd34053691fae92e42fc3836d8d93844b8c6f43a0c0bf826a935efafea693e7e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 06:09:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu2aknur7lus4qx4ha3nrwjyis4mn5b2bqf7qjvjgxx272tjhz7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
024fe29d6f94fe5fb1afead83c7e0deefa8127669e8e66043334b6bef130f9f8
AgentTesla
14fcbebcc9d8c68ee30c888473ddb5fb08d4f0026b506c66668acb8c49ff0146
AgentTesla
19ea2b24f4d65b8169f982300901dba2253a880e3bd3f07dfcf933c0fe67a139
AgentTesla
529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532
AgentTesla
655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1
AgentTesla
778999d611a2a22f82d48b71e94588b86336376e30b07cb1c3f2230959cc10ab
AgentTesla
a3510ca0d8cbd8fb1035c1c59a8781abfc1e463d0429e108c242c23188f1adcc
AgentTesla
bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
AgentTesla
cf22a4ba35e94ec83bdf1aec7b4422009aa33f7c6a2c707513d7b1a9eafb368c
AgentTesla
f2534f52eda2331872b580d6e36f66969b14c0c1407901e41e563f5ab147708c
AgentTesla
+ 354 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence evasion trojan spyware
Link:
https://tria.ge/reports/201007-wmtxccrrf6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
cd34053691fae92e42fc3836d8d93844b8c6f43a0c0bf826a935efafea693e7e
MD5 hash:
40345c68c62dba56843c4650a408d2f7
SHA1 hash:
03b540ff7d64c6905abcd9f21589ef23c8310bae
Link:
https://www.unpac.me/results/4f1352ef-2ceb-4ed8-9ab9-f801d1f0c9ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cd34053691fae92e42fc3836d8d93844b8c6f43a0c0bf826a935efafea693e7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe cd34053691fae92e42fc3836d8d93844b8c6f43a0c0bf826a935efafea693e7e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68880/
  
URLhaus
https://urlhaus.abuse.ch/url/660432/
  
Delivery method
Distributed via web download

Comments