MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1497a0b392b283ffa3cb0044a2c559288fe268296333d902556c3d0688fade3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1497a0b392b283ffa3cb0044a2c559288fe268296333d902556c3d0688fade3
SHA3-384 hash: b0549f9a5360d9c97506d134c6d526781372b0d44ed7e9b0c06971b09c8b4f6110ec3d18b6ddfa7a97633a2ef5cafd1a
SHA1 hash: 4e3c342c4fb567f78e8a91a1f91ee7d18a3351dc
MD5 hash: ff39cfda26bd410c078d509c552688c7
humanhash: vermont-stairway-ten-sixteen
File name:ff39cfda26bd410c078d509c552688c7.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:794'936 bytes
First seen:2021-05-05 12:50:22 UTC
Last seen:2021-05-05 14:03:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qc1fxhwL8mLAHefRIZtbVqrTwqEZdw8emlB++t2qA9kOIi:5ZyJAH/ZtxqEZdw8LB+gG/
Threatray 37 similar samples on MalwareBazaar
TLSH AFF48D0057E85B97C2AE03B9E198E63173F5DE01A25AAB8B684BF9F53F7339145009D3
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150600/
Detection(s):
SecuriteInfo.com.Trojan0057be311.2960.9696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711936
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1497a0b392b283ffa3cb0044a2c559288fe268296333d902556c3d0688fade3/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 08:40:31 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
060685f00b5569a8d8e1d58a2e50dd7359833e8b6c12ffabb0ce02bb42c5db53
AgentTesla
0e16268b5f26f1f7314bb1b21bb246b99ee4fd6e000818edc94f7efa67964a4d
AgentTesla
3efb8d6a873c1553f95c6d20ef6a489530040080a837fbf7cf91108501e8fa49
AgentTesla
452f6c82573df4442dc2b111140c09c86fcdb5d776487dd6d2386645b319024f
AgentTesla
4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d
AgentTesla
80e9c429bf5d6b1116009980d85bd36ad7b3c05a5ad0f69a836bbcd7d0df7090
AgentTesla
a0dff0bf5eb951b2371c5ccdd3d5787c12990fd50a4fe5092d3e6d1286fec8e6
AgentTesla
a517552827e4823129d29a86c716decae6366d7bad5d8521ba6d1fd52547147d
AgentTesla
b65eed317058df5ddd4247ec93ac2b555ae2c29b751ee455ceee3dd9b670ecad
AgentTesla
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
AgentTesla
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210505-vgks1tcaex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
34bbea772d6bc2ffb6ff879346cf025379e6b65a7e76dcb94dbe61dc588ba9fa
MD5 hash:
a12bff5e88ef00d440dc169760b797d5
SHA1 hash:
fd4f32f1a3c5f9efc34ed101661f732cfac814b0
Link:
https://www.unpac.me/results/05e17b88-4379-4153-9611-99ba97b05901/
SH256 hash:
af425db9735242ff534fbd507e8fc8fc5ed5344d21322328918cd5c928c8ae19
MD5 hash:
a764da41bbcf3b2f1611a8feb779b3db
SHA1 hash:
a8d31877f09d2ae550d921a60de3780c7e8f310c
Link:
https://www.unpac.me/results/05e17b88-4379-4153-9611-99ba97b05901/
SH256 hash:
14c7880789a33dc92492712a1351bad851412e01bb0f409fcb59213b3c999fac
MD5 hash:
106c029d55f866bedc8e93d5ca18a3e8
SHA1 hash:
37e0090e42d469f56a060444e7c2a40b3c73c4a1
Link:
https://www.unpac.me/results/05e17b88-4379-4153-9611-99ba97b05901/
SH256 hash:
d1497a0b392b283ffa3cb0044a2c559288fe268296333d902556c3d0688fade3
MD5 hash:
ff39cfda26bd410c078d509c552688c7
SHA1 hash:
4e3c342c4fb567f78e8a91a1f91ee7d18a3351dc
Link:
https://www.unpac.me/results/05e17b88-4379-4153-9611-99ba97b05901/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1497a0b392b283ffa3cb0044a2c559288fe268296333d902556c3d0688fade3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d1497a0b392b283ffa3cb0044a2c559288fe268296333d902556c3d0688fade3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1196314/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/150600/

Comments