MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2dfba35543519803792501c08cc68bb21534ec3fcdc50224bb154776f62b28f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2dfba35543519803792501c08cc68bb21534ec3fcdc50224bb154776f62b28f
SHA3-384 hash: d5452d84bf50f898a1f1287886375f62236cf375a3b8b12311a10fd1a20b7c91cd0a8583b1643b49ea4a3bb0012e1adf
SHA1 hash: a546bfab331ef4ba59e5962bcce6be7ffbac3416
MD5 hash: 54c9248b556853d29a090ef9ba68aad0
humanhash: lion-zebra-pasta-utah
File name:54c9248b556853d29a090ef9ba68aad0.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:844'800 bytes
First seen:2020-09-26 07:45:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 10c4e79da1631ecbb0bd1ff36adbf403 (3 x AgentTesla, 1 x Loki, 1 x AZORult)
ssdeep 12288:1OL2EC+KNAlnSVi4dVNkKQqdiuV7a+u9LjyXh0vv8RFryifvqEiQ:1GRYAlnG7T9V7a71j8smFrIEZ
Threatray 10'359 similar samples on MalwareBazaar
TLSH 5805BF26A2F14433C327153DDC0BB774A826BE502E28A8863BF5DF4C9F397953919297
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66035/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.24943.18452.13126.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475764
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290334 Sample: dMNSj04jb2.exe Startdate: 26/09/2020 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 2 other signatures 2->34 6 stan.exe 2->6         started        9 dMNSj04jb2.exe 2->9         started        11 stan.exe 2->11         started        process3 signatures4 36 Antivirus detection for dropped file 6->36 38 Multi AV Scanner detection for dropped file 6->38 40 Detected unpacking (changes PE section rights) 6->40 50 3 other signatures 6->50 13 stan.exe 4 6->13         started        42 Detected unpacking (creates a PE file in dynamic memory) 9->42 44 Detected unpacking (overwrites its own PE header) 9->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->46 17 dMNSj04jb2.exe 2 7 9->17         started        48 Maps a DLL or memory area into another process 11->48 20 stan.exe 4 11->20         started        process5 dnsIp6 26 bh-58.webhostbox.net 199.79.63.24, 49731, 49734, 49742 PUBLIC-DOMAIN-REGISTRYUS United States 17->26 22 C:\Users\user\AppData\Local\Temp\...\stan.exe, PE32 17->22 dropped 24 C:\Users\user\...\stan.exe:Zone.Identifier, ASCII 17->24 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->52 54 Tries to steal Mail credentials (via file access) 17->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->56 58 Tries to harvest and steal ftp login credentials 20->58 60 Tries to harvest and steal browser information (history, passwords, etc) 20->60 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2dfba35543519803792501c08cc68bb21534ec3fcdc50224bb154776f62b28f/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-09-24 07:55:43 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lp3unkugumyan4skaoartdixmqvgtwd7tofaislwfkho33cwkhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
35912ff3b78d0699082450202cc16cec5c11447c39ec0e4db7738c188662f0c5
AgentTesla
38de2a27f6860ff3215434f3088f37ffc36c3a487fbfcee619bd1af281883624
AgentTesla
537138289e71224816b26b83db4b7d5fe1021e7b915bb512bdb99b8ae5969aae
AgentTesla
869e8a26e04953a411e7454c800e022bbbb3825320ab6e3935213357789f0844
AgentTesla
93be03ee9522ffc9ea73dcf74bac994a5eabf6f373c0536f5c718af8ff819995
AgentTesla
99fa917c6f97756ac7ced3ca06142728178550f72be70326ab30420fd4e9797e
AgentTesla
a93339bcc8ab06b5ef34abc63ba05c692b285ab47ff5d13b70959a52b3f53455
AgentTesla
ce0d61881089155602217097bc0d8767227eaa1128087e0e2ea230abab0246ff
AgentTesla
e111f55125b49b9f9f07fecc8f6506062248511cda75a4428b677536db0df8d1
AgentTesla
f7a21b812eaebf24b601f897d3287979247b6025b1e20841ad8b34ec5d1c6575
AgentTesla
+ 10'349 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer upx persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200926-wdc5qf156n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
57dfa29ba2bef7a32a79e6b9f48e14fd39ef4f34d2825f19f99e40d0f448f192
MD5 hash:
861b4adc914a33e4be19d9db98bf0b42
SHA1 hash:
fe0626a10be33287fbaf5613fc15b1e876f705e9
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/d00df9a9-e183-40fc-a396-cb250ba99093/
SH256 hash:
4cb02e44c8a059246b560c9b1eb48c48a51b2235f0bc14470a5858f85d6b8760
MD5 hash:
87a24b504344b69ba5742cafad5bd38a
SHA1 hash:
7484e08d52f643f3598e875d42bb4663d19a8a32
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/d00df9a9-e183-40fc-a396-cb250ba99093/
SH256 hash:
d2dfba35543519803792501c08cc68bb21534ec3fcdc50224bb154776f62b28f
MD5 hash:
54c9248b556853d29a090ef9ba68aad0
SHA1 hash:
a546bfab331ef4ba59e5962bcce6be7ffbac3416
Link:
https://www.unpac.me/results/d00df9a9-e183-40fc-a396-cb250ba99093/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d2dfba35543519803792501c08cc68bb21534ec3fcdc50224bb154776f62b28f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/66035/
  
URLhaus
https://urlhaus.abuse.ch/url/599406/
  
Delivery method
Distributed via web download

Comments