MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c
SHA3-384 hash: af59bcf67de94ac82359b70834df0da7434aa0668ef79793ad46f8351893cb8c0747ebd291caac17443fd2babce05d89
SHA1 hash: 6f5c97ce545ddc9bed1dc00c88c75a250e812306
MD5 hash: 3b7d27e16b54778d70f4b5ec45799c6b
humanhash: freddie-twenty-georgia-helium
File name:FINAL PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:785'920 bytes
First seen:2020-10-05 09:59:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:o+0ZcYDCr+UGUJf5gQ3APQkEIKcmRodY0MGvhEv7WRCEBb9bt1fJHVmNteMwv8G:/0aY2rTGUxAPeDcQodBr4XAbt13mt
Threatray 9'755 similar samples on MalwareBazaar
TLSH 57F4F1A677C07B8ED53F4D3681421910ABF1D6334A03F7C76CE718EC498D6A6DA622D2
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68113/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481204
Signature
Found malware configuration
Injects a PE file into a foreign processes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 03:43:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rs76iw4tpqiika5jdbyk6373q732vaxc7raczrh65nyuqasqoga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00e8d6de1e2450594b8e61c5f8ce0b7c0b0aff075e72e79b7be035203511abbb
AgentTesla
17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519
AgentTesla
1e351911bf4f3405c644d9145ba2947cf78e9049578fe1e64b3466478ad3e1cf
AgentTesla
3315dba57b06d3e95fdab93ad09e5a67755b7ecf81274b0907cfe2e051e36b3b
AgentTesla
5a06b1aee5d39a7c1f86db45aec3215560a5bb3d9e1fab189b18877e3be10e36
AgentTesla
5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5
AgentTesla
636ed47033dc0066e0e169d4be9d01b56886b255cd5d351b481e35200f507b43
AgentTesla
c57e0fc02e939ef6d9f2e1d92cd74d6ed7df502a1c2ded6e8ae68f6bc5ff3aec
AgentTesla
cc87cc3cff16721cb3f7e6be1e5be62bcdacafd1fa70ec879c6a9c12a9b438bb
AgentTesla
ecd0c9515106232ce9cb2e64bd93d688a4e6211dd0a42582f39435c3652ccf86
AgentTesla
+ 9'745 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201005-bev6qh28wn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c
MD5 hash:
3b7d27e16b54778d70f4b5ec45799c6b
SHA1 hash:
6f5c97ce545ddc9bed1dc00c88c75a250e812306
Link:
https://www.unpac.me/results/408d6fc4-3460-4c6d-9089-3b757dac2167/
SH256 hash:
a3feaa6669f5d59f0e470182dbf04f0031accc177a5f438c22e083261ea6126a
MD5 hash:
8c636a1c3d02273570541cebf0b641b5
SHA1 hash:
2e959d04f16defce6ffe4b178f5b2bc8ed96a280
Link:
https://www.unpac.me/results/408d6fc4-3460-4c6d-9089-3b757dac2167/
SH256 hash:
01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a
MD5 hash:
eb593633270aa19162cf64663df9dd6c
SHA1 hash:
2ec57181471ff10abe9a04239ca3ea86ea4252b9
Link:
https://www.unpac.me/results/408d6fc4-3460-4c6d-9089-3b757dac2167/
SH256 hash:
1f2587083d6fb2f4d3ee4765f375ba71124216981bb6b0545bb304c1a4788e50
MD5 hash:
a5f9e5d1d753f6d2c370345dcb93aefb
SHA1 hash:
36aae6dc85f8124be9384aaea9d3e1ead27e7be1
Link:
https://www.unpac.me/results/408d6fc4-3460-4c6d-9089-3b757dac2167/
SH256 hash:
07825bb443b7e1ae8766d3b6f72d4ca660cd06674cada58a8b18af9769bd1680
MD5 hash:
75e5954fc8ea6039c49b098c580dcbad
SHA1 hash:
dc1e9cd3c4d64124d672a2c8548ef9dc9c82236a
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/408d6fc4-3460-4c6d-9089-3b757dac2167/
Parent samples :
d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c
ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f
6654538b324aae34cc6a17b040e39b89670369fedc3e06d869af0f59dd4c0d23
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68113/

Comments