MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d993500037d8227b21922cf05a2838753575ef187d782eb656c86df24d60776d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 7
| SHA256 hash: | d993500037d8227b21922cf05a2838753575ef187d782eb656c86df24d60776d |
|---|---|
| SHA3-384 hash: | ac9a9a21535b0bda82aa9109f4a414374e42cdf4a7e2cc8a06a4d51e65811a083d415e8cec51a10232e6a4e93a91b14a |
| SHA1 hash: | 6ca3996e57880b2b12d98acb0c7b54fdcd8cf1ee |
| MD5 hash: | 26f2590db2cac4c5e9aee2a17eddda23 |
| humanhash: | paris-friend-colorado-early |
| File name: | 26f2590db2cac4c5e9aee2a17eddda23 |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 760'832 bytes |
| First seen: | 2020-11-17 11:29:03 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:GV/pXbImxXwS9Wjy7ABH84I0wmX/Z+QtZRUWcu9SXMyCpgYYMcjcLG4nTI:WEyEJFFBNjUWZPtGYMc/nT |
| Threatray | 1'295 similar samples on MalwareBazaar |
| TLSH | BBF4BEA763983F67E03DD3B9A5280815C3F4ED52D722EB4D7D8A30CE8854F5287A161B |
| Reporter |  seifreed |
| Tags: | AgentTesla |
Intelligence
File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Status:
Malicious
First seen:
2020-11-11 08:41:22 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 1'285 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
SH256 hash:
076780034df94e9f22ff236a0ec23f6f120380846f8e64abd69fa1722ed9a4fd
MD5 hash:
b63f644f06f65ee93b5f400683da9224
SHA1 hash:
7971cce0469c98567bada2fdf5806651e1d8af1d
SH256 hash:
fb7de8adf33bd05ef62cc2140173e137def4a64ba4dca3f859509d3da53507ac
MD5 hash:
df47b01b55ef48fda40fdc69ba91fdf9
SHA1 hash:
9023a70b0f1194c75937619a24897bcf31cd1e3d
SH256 hash:
10fa87cd908dabe73900b595525d44bbbda7a2102bc454d1b1fcc78b85f2c3ea
MD5 hash:
93ef231997718721270d2b7dce3c1ef7
SHA1 hash:
af0f549063b83bb0aed30bee88b06ce5425a3f91
SH256 hash:
d993500037d8227b21922cf05a2838753575ef187d782eb656c86df24d60776d
MD5 hash:
26f2590db2cac4c5e9aee2a17eddda23
SHA1 hash:
6ca3996e57880b2b12d98acb0c7b54fdcd8cf1ee
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | ach_AgentTesla_20200929 |
|---|---|
| Author: | abuse.ch |
| Description: | Detects AgentTesla PE |
| Rule name: | MALWARE_Win_AgentTeslaV3 |
|---|---|
| Author: | ditekshen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | win_agent_tesla_v1 |
|---|---|
| Author: | Johannes Bader @viql |
| Description: | detects Agent Tesla |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.