MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94e491d1b53fb257442927b2c5ec94d2bf62c37856a7bfc56d7b60da5f1831f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	d94e491d1b53fb257442927b2c5ec94d2bf62c37856a7bfc56d7b60da5f1831f
SHA3-384 hash:	8171c426e0c3baa3348f4c4a5d0425a5b96170722d4912feaf29a245d14c7d33d08e8bedbd08162eabec2ff580da5924
SHA1 hash:	a627bf34e04c54628a6ff4228d61bf6d98378ef3
MD5 hash:	36263e4d58c6fe1d3d344b4b9b17bb04
humanhash:	golf-cold-pennsylvania-west
File name:	SKM_C3350191107102300.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	40'448 bytes
First seen:	2022-02-22 16:11:29 UTC
Last seen:	2022-02-22 18:06:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	384:RNudRbMn4DfehMiQ6ulaiJMwCKTH2S3dd0hUADka9Y:RNudRbJf+Rml7MwCKt3deVDU
Threatray	15'305 similar samples on MalwareBazaar
TLSH	T1A003E71A7892961DC5D47BF869B1A19366367CE10124C18FECFDBF29A933223DCC216D
File icon (PE):
dhash icon	174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/243303/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.GLW.genEldorado.13435.10952.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

DNS request

Sending an HTTP GET request

Creating a window

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62150b5ba2660f3bb926bfb6/reports/a35d38a3-3329-40c7-8649-e6c4369a9693/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c4f9de40-c98a-48f2-840c-e375f2599b8e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/944116

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Creates an undocumented autostart registry key

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses ping.exe to check the status of other devices and networks

Yara detected AgentTesla

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d94e491d1b53fb257442927b2c5ec94d2bf62c37856a7bfc56d7b60da5f1831f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-22 16:11:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3fheshi3kp5sk5ccsj5syxwjjuv7mlbxqvvhx7cw263a3jprqmpq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6

AgentTesla

4429d5de4d9e544c06beba52b737a29e93ae559002e0aaacf532839678cdf7db

AgentTesla

542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def

AgentTesla

5518f7bfdc3e37c30964a7ff15b31879768bdfda368560a5402b60a85b740801

AgentTesla

8a0d96c6ab22bc62611c7cad581ca536d766063570117e0ddb1747828b5afc96

AgentTesla

b532b8d30d6f2e657052c44c27649bf8aed491f0924dd424b586138ee0c2bdb0

AgentTesla

c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4

AgentTesla

fed888d3ee2847c9323f4a702bd59f99926bfa252f3109fd4924da5500ec2b7e

AgentTesla

+ 15'295 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220222-tnh9wsbhgr/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

d94e491d1b53fb257442927b2c5ec94d2bf62c37856a7bfc56d7b60da5f1831f

MD5 hash:

36263e4d58c6fe1d3d344b4b9b17bb04

SHA1 hash:

a627bf34e04c54628a6ff4228d61bf6d98378ef3

Link:

https://www.unpac.me/results/ca7b5851-4d8d-45cc-8992-271a3765a4f7/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d94e491d1b53/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/d94e491d1b53fb257442927b2c5ec94d2bf62c37856a7bfc56d7b60da5f1831f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/243303/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample