MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d06226760a316be2314daa62fe50db2a1f833698459ea32c68e2b8825533b77a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	d06226760a316be2314daa62fe50db2a1f833698459ea32c68e2b8825533b77a
SHA3-384 hash:	ba3ccf403dce363ade26948e3e02b582ff6a441f509515ab73b2bddd429ed029c3c6ddb23519273a335fa91d6f197bd3
SHA1 hash:	b14273a8e2032513e81ab508263511c3f9fc97de
MD5 hash:	0e28762c0243fd4e03fa43ae5a0d685a
humanhash:	friend-venus-iowa-bulldog
File name:	Hldwibuy4.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	564'736 bytes
First seen:	2020-12-04 19:56:19 UTC
Last seen:	2020-12-04 21:48:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:2nRJyu3iCA8VeuE57bbgsO8IKV4XUr1IW:ARf5A8Qbbg183V2
Threatray	58 similar samples on MalwareBazaar
TLSH	F8C4386E3B7396DBD810C5746B11C2381AA36CC5E849C6AEB9C97F6FB4F12C014812BD
Reporter	JoulK
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://sparepartiran.com/js/2Q/Hldwibuy4.exe

Verdict:

No threats detected

Analysis date:

2020-11-25 20:40:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/72b253b2-6fbc-4aa2-a45f-6631099383d9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106821/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.31.32552.14178.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Changing the hosts file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/556050

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Modifies the hosts file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d06226760a316be2314daa62fe50db2a1f833698459ea32c68e2b8825533b77a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-25 11:48:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2brcm5qkgfv6emknvjrp4ug3fipygnuyiwpkgldi4k4ievjtw55a._file

Verdict:

malicious

AgentTesla

0c2e617efd564557bce2248bb25254d7c5a091eba9529e48cadca43517431596

AgentTesla

291a081e38d4d12af7da73e4fafe9d2a9e001bc88e0f1a503037b7ffedcd4b68

AgentTesla

31b06ca8f90f735bd3b209e576db1da2a5ab7f661b58f85eaabcde2181978003

AgentTesla

3c64fe15d5f111ea7d72ee90493329d95d1c1ceb5e13237f616db5a71fd149cf

AgentTesla

5d0c908497b27de7918ac9e938a939ca63505dda638cc5fede5a6e067a4e325f

AgentTesla

754415201ac666285c12b35d0fc3ab30f7fb48d7a9c9c54c8cee746be8ed4e7a

AgentTesla

77d3172d77aa45c61b8563dcb13b26bd2f8f9fb4cbc2fcc966966a26f316ba56

AgentTesla

bfad657014ecab9f87306e695510f55528dbd0a33302a71da260e77285e00c06

AgentTesla

ee86f083fdb8d5e2f4d1d609faf964fa08a01875bc0abb364aeb09bb83c35f8c

AgentTesla

+ 48 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201204-9em6q6chm6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Unpacked files

SH256 hash:

d06226760a316be2314daa62fe50db2a1f833698459ea32c68e2b8825533b77a

MD5 hash:

0e28762c0243fd4e03fa43ae5a0d685a

SHA1 hash:

b14273a8e2032513e81ab508263511c3f9fc97de

Link:

https://www.unpac.me/results/7b3ebd32-3d59-4166-a378-27d71ec95fe5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d06226760a316be2314daa62fe50db2a1f833698459ea32c68e2b8825533b77a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe d06226760a316be2314daa62fe50db2a1f833698459ea32c68e2b8825533b77a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/854076/

Cape

https://www.capesandbox.com/analysis/106821/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample