MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d92ba170c80a8fcbc70b45ca246730b30d1722e0b382079fcf5852f8e0f94380. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d92ba170c80a8fcbc70b45ca246730b30d1722e0b382079fcf5852f8e0f94380
SHA3-384 hash: e78ce3932e7521726c2130ade675f7f777189857995088a47645ea45122b9ac189bb8b41882cabc11c5fb5af3ac8680b
SHA1 hash: 815f3a0ac526b3cfe045b895fa67f2fe86b16c19
MD5 hash: 8ef5af158fa7507964eb13cd10982f84
humanhash: orange-march-kilo-uniform
File name:GRACE.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:26'120 bytes
First seen:2020-12-03 08:09:59 UTC
Last seen:2020-12-03 10:26:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:1XeJDK9RdjqblSZw0ctpP84POBoczb4Cw0RZDgf2ha:8tK9RdublSZcnQBoGbbdZUf2ha
Threatray 1'632 similar samples on MalwareBazaar
TLSH 40C22A245BC60427F3FACB3297CB999047F5E383B572CABF55E9539249C32812E113A6
Reporter cocaman
Tags:AgentTesla exe

Code Signing Certificate

Organisation:Fabdedaafddb
Issuer:Fabdedaafddb
Algorithm:sha256WithRSAEncryption
Valid from:Dec 3 01:35:40 2020 GMT
Valid to:Dec 3 01:35:40 2021 GMT
Serial number: 277954972D84811E0E3587CA4317D857
Thumbprint Algorithm:SHA256
Thumbprint: 9FCE1EF35945DADAB9CA0039ED0B35A40F94BA03F0454BE9BD9FCB35AF13E176
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106535/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34670.bmX@aW7ow3e.17429.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
DNS request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/554397
Signature
.NET source code contains very large array initializations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326297 Sample: GRACE.EXE Startdate: 03/12/2020 Architecture: WINDOWS Score: 24 15 .NET source code contains very large array initializations 2->15 7 GRACE.EXE 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 conhost.exe 9->11         started        13 timeout.exe 9->13         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d92ba170c80a8fcbc70b45ca246730b30d1722e0b382079fcf5852f8e0f94380/
Threat name:
ByteCode-MSIL.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 08:10:08 UTC
File Type:
PE (.Net Exe)
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ev2c4gibkh4xrylixfcizzqwmgroixawobaph6plbjpryhzioaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
AgentTesla
6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58
AgentTesla
89a79d6e08f22036f754947d43d1c5b6ba7865e246f462dedea0836dd748a8ea
AgentTesla
97a573fd680ef24fba3d6d7247f05e3425696b8077f4afda2279801f6d4a57d4
AgentTesla
9f8b07904b0eae73af7985f15e3a60ae8d57834dc949035429802eb53889a1f9
AgentTesla
a148266deff592c1ba38bc1616f5483f7ba9d73f97dd88a3def54834b8434a1e
AgentTesla
be97e48f58000a3482ffd6b332e60b08a38ff72eb132fadc44d2d72de371e74f
AgentTesla
e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6
AgentTesla
e8fc1668976751ae8b6a453020ed96065aa48636120b852363c45dfd26ec34d8
AgentTesla
fb5e770325e5d90b7de5f851ac2c14d72d18571f52d73d1bea12985e72b9c0fa
AgentTesla
+ 1'622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201203-18sbr3ybqe/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
d92ba170c80a8fcbc70b45ca246730b30d1722e0b382079fcf5852f8e0f94380
MD5 hash:
8ef5af158fa7507964eb13cd10982f84
SHA1 hash:
815f3a0ac526b3cfe045b895fa67f2fe86b16c19
Link:
https://www.unpac.me/results/8e738d94-8271-423e-b10b-dd4081cb18e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d92ba170c80a8fcbc70b45ca246730b30d1722e0b382079fcf5852f8e0f94380

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 904b24f44485c4778a314e0971af3f21e8b5a1fa2f3f59b83028748b4f2f012a

AgentTesla

Executable exe d92ba170c80a8fcbc70b45ca246730b30d1722e0b382079fcf5852f8e0f94380

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 904b24f44485c4778a314e0971af3f21e8b5a1fa2f3f59b83028748b4f2f012a
Cape
Cape
https://www.capesandbox.com/analysis/106535/

Comments