MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d256bd8308c917d175474e4bba3acc55616fb744adf0640ac4a03a7722e3ce2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	d256bd8308c917d175474e4bba3acc55616fb744adf0640ac4a03a7722e3ce2b
SHA3-384 hash:	cbe714fa376eeff82828a18577c735e550c10633ba5ba9a93bcc3e67a639849e23ed84513ce6df2eb0cb8060fce6f57f
SHA1 hash:	b7d2eba0974d80f0786ec628e98ea6300494b612
MD5 hash:	43b4c0251112f5bea8a826dd2461bf7b
humanhash:	rugby-cup-solar-august
File name:	d256bd8308c917d175474e4bba3acc55616fb744adf0640ac4a03a7722e3ce2b
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	714'752 bytes
First seen:	2020-11-14 17:49:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2198dce435faa52a41b785f39a5a49fe (30 x AgentTesla, 24 x Loki, 9 x HawkEye)
ssdeep	12288:3gPYHXItaKN49e5N/Bv44Q9aYhiF9xOoP+IYtWChzB/:3gPQkaE3TBw9rG9AoSWOB/
Threatray	2'781 similar samples on MalwareBazaar
TLSH	6BE49E26E2D05833F1761A3C9D0BA7A89835BD103D28F97A3BF51D3C9F396412C652A7
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Undefined-6663182-0

Win.Malware.Bulz-9790659-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Moving of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/536459

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Maps a DLL or memory area into another process

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d256bd8308c917d175474e4bba3acc55616fb744adf0640ac4a03a7722e3ce2b/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-11-14 17:50:20 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2jll3ayizel5c5khjzf3uowmkvqw7n2evxygicweua5hoixdzyvq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1d6004838e32ca7b5763964c99d3c92fc591c7b21d0de3595a7da27794ec5ab6

AgentTesla

326af407f3ff8e28d1f0b1aeb72eaf46dc8d54d05f2dd39758d4b0144101ed90

AgentTesla

36c02298ff3689fbabd7f474b5518355e2ea6df0b4903815f9c43bddb87b5a6d

AgentTesla

3acb8c900b76d7232dcb0dd75e92f7647468a845bba8fb42dce2bc1ec2bb1d2f

AgentTesla

3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1

AgentTesla

7b3834838c8089d4af4508d5961ea134c7ae331dfe350381f38fb6ffda679726

AgentTesla

d2e0d084dc1d9d203c90d09872553c5e02c09491c18407139792dd57eae4f38b

AgentTesla

e4ef5297d417e9facedcefdc568d9f09deb3df0217d94a69dfa23c1238e1eced

AgentTesla

feb639dabb33ddc8d08dc3065a7a869225419d52be2aa0ec247377607a426ef3

AgentTesla

+ 2'771 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/201114-6gb5x4jn9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

d256bd8308c917d175474e4bba3acc55616fb744adf0640ac4a03a7722e3ce2b

MD5 hash:

43b4c0251112f5bea8a826dd2461bf7b

SHA1 hash:

b7d2eba0974d80f0786ec628e98ea6300494b612

Link:

https://www.unpac.me/results/58ddfa0f-ef0b-4442-be8e-240297717e17/

SH256 hash:

515379f2a67985083e4d0b8229a2955ef3f122a705223e8c47aed4713f9f7114

MD5 hash:

9832f513415fe6dac8c4e3cc71e9d56b

SHA1 hash:

cffb2e214b073487bd34ef73460a082190e2b30b

Link:

https://www.unpac.me/results/58ddfa0f-ef0b-4442-be8e-240297717e17/

SH256 hash:

c43614b225df54035a3f74a42ca599754fc9541af59dc9992d5dcc6bd829a470

MD5 hash:

479ba47a96c3cb04de728e7a691766ea

SHA1 hash:

708eb439786de6f8d4000715f84c6e70961ad358

Link:

https://www.unpac.me/results/58ddfa0f-ef0b-4442-be8e-240297717e17/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample