MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cde036f2afa7aab3e775edf993ec455176f25bba3dd9440d0853945e425131a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cde036f2afa7aab3e775edf993ec455176f25bba3dd9440d0853945e425131a3
SHA3-384 hash: abe959621c0f26df60b661c1b9989f08e4ea273e4b5cf464e4eb4f30ac36aac941c03b4c217891d95e9f98be117673c4
SHA1 hash: 2dcedfdbcf527eb6680b4c4bce6f791b2681cae3
MD5 hash: 69a4737ab33facc809457a6bfa0aa2f2
humanhash: wisconsin-victor-six-bacon
File name:69a4737ab33facc809457a6bfa0aa2f2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:667'648 bytes
First seen:2021-09-20 17:58:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:bYxaM8KuQlAvTkmsIJds1oigfXnqq/Sqd5:7jQINsIJdW+l3
Threatray 10'159 similar samples on MalwareBazaar
TLSH T17FE4D130179570E5E3327AB08BB3E041F5996D32AF9D96D83843F64DC2B3642E973A25
File icon (PE):PE icon
dhash icon d4ae98f8f8b88cd0 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
69a4737ab33facc809457a6bfa0aa2f2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 18:11:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e8f5eb0-cc39-43f0-bb5a-39eaee0b7841

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189562/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1031-1.UNOFFICIAL
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Creating a window
Creating a file
Launching a process
Delayed writing of the file
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c85a7f97-5497-469c-b45c-ae24926c1c66
Result
Threat name:
AgentTesla Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854344
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486776 Sample: Y4pMlX1fO2.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 9 other signatures 2->51 7 svchost.com 1 2->7         started        11 Y4pMlX1fO2.exe 4 2->11         started        process3 file4 29 C:\...\protocolhandler.exe, PE32 7->29 dropped 31 C:\Program Files (x86)\...\misc.exe, PE32 7->31 dropped 33 C:\Program Files (x86)\...\lynchtmlconv.exe, PE32 7->33 dropped 41 98 other malicious files 7->41 dropped 59 Sample is not signed and drops a device driver 7->59 61 Drops executable to a common third party application directory 7->61 63 Infects executable files (exe, dll, sys, html) 7->63 13 nwlrFL.exe 3 7->13         started        35 C:\Windows\svchost.com, PE32 11->35 dropped 37 C:\Users\user\AppData\Local\...\setup.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\...\Y4pMlX1fO2.exe, PE32 11->39 dropped 43 8 other malicious files 11->43 dropped 65 Creates an undocumented autostart registry key 11->65 67 Drops PE files with a suspicious file extension 11->67 16 Y4pMlX1fO2.exe 3 11->16         started        signatures5 process6 file7 19 nwlrFL.exe 13->19         started        25 C:\Users\user\AppData\...\Y4pMlX1fO2.exe.log, ASCII 16->25 dropped 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->71 73 Injects a PE file into a foreign processes 16->73 21 Y4pMlX1fO2.exe 2 4 16->21         started        signatures8 process9 file10 27 C:\Users\user\AppData\Roaming\...\nwlrFL.exe, PE32 21->27 dropped 53 Tries to steal Mail credentials (via file access) 21->53 55 Tries to harvest and steal ftp login credentials 21->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->57 signatures11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cde036f2afa7aab3e775edf993ec455176f25bba3dd9440d0853945e425131a3/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:59:11 UTC
AV detection:
43 of 44 (97.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxqdn4vpu6vlhz3v5x4zh3cfkf3pew52hxmuidiikokf4qsrggrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bec1813fd645f0c1dd84ddf277999b79f1c07a94e6574a345d70184d8bfbc47
AgentTesla
13675c7709efcd13c8334d547539a2c1c7f2e78e3cf9dee498c236d869493378
AgentTesla
31b7df14c156db3291584805bdf846c7440541b9c971a15f0706b8da59e618b5
AgentTesla
5d341e97346284948f292b2acef3b6a2b48f2e1b106732aeac5046723d5ec39e
AgentTesla
6bbec289761e29f2118ce99e40cd65abb5428d53806158c5898c5db5f252af96
AgentTesla
9efe8cef3127a10a3c0ee380a77298650e7a54e9e785d86f9871c00c2ad62bdf
AgentTesla
9f5246d9c9dc30f30f1ad1ffaa3e3a5e4b81f51d2b9059527190cd3a55523eb1
AgentTesla
a0280d342cc57efcb2b0a35cd901689ef9a71d446b9741791bb0ce19e1843ac7
AgentTesla
a79cd2afe6fbd88f394601ec42877ca66fb58a0844c3838abd1e2063fe7b07ab
AgentTesla
fdde861930d90cd01ecd816cbd4c0167757ea3068b4a67edd28b7b9514fdc1a2
AgentTesla
+ 10'149 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:neshta keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210920-wkqkxaega4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
cde036f2afa7aab3e775edf993ec455176f25bba3dd9440d0853945e425131a3
MD5 hash:
69a4737ab33facc809457a6bfa0aa2f2
SHA1 hash:
2dcedfdbcf527eb6680b4c4bce6f791b2681cae3
Link:
https://www.unpac.me/results/76a8b9bd-0515-4628-aef7-08613bd318aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cde036f2afa7aab3e775edf993ec455176f25bba3dd9440d0853945e425131a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe cde036f2afa7aab3e775edf993ec455176f25bba3dd9440d0853945e425131a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1628315/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189562/

Comments