MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da1621ccdb3714c1fda08f6e783ff18962e4803fff14b3095d3e260c26642648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da1621ccdb3714c1fda08f6e783ff18962e4803fff14b3095d3e260c26642648
SHA3-384 hash: a73e4359c48e887260aa99b9f1c36b5dd4189b04fb0761c76c079a8b223d35b46d37f00ff347ad5d6331bd4d1c7601f3
SHA1 hash: 4a4da0c67274da65e0ea70e8d2ad8a5f56c7cc62
MD5 hash: f5bbe08ae98556abd753b479ce939e44
humanhash: blue-march-item-ink
File name:triage_dropped_file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'164'800 bytes
First seen:2021-08-30 14:13:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:oGuNI8bK4HtLGEUBXeu0BU5SisIid0kph+QrA2r79gEflEGD/XnyP112PdsfLose:M7Oh5TBf1cTglCVF8QeI
Threatray 9'145 similar samples on MalwareBazaar
TLSH T1D445DA3DAD252633E7BE86F8D4960D4EE69450CB22335DDF46D6A3882007617B6FA31C
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
triage_dropped_file
Verdict:
Malicious activity
Analysis date:
2021-08-30 14:17:27 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/c7467169-fda1-4060-bb35-e126b7c22561

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183802/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.1573.17792.4836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b673de42-0254-4890-b2e1-757fdcc8fe6d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841799
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474226 Sample: triage_dropped_file Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 7 other signatures 2->64 7 triage_dropped_file.exe 6 2->7         started        11 gqxRqp.exe 5 2->11         started        13 gqxRqp.exe 4 2->13         started        process3 dnsIp4 42 C:\Users\user\AppData\Roaming\VNJCPdLEb.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpDBD4.tmp, XML 7->44 dropped 46 C:\Users\user\...\triage_dropped_file.exe.log, ASCII 7->46 dropped 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 7->70 72 Injects a PE file into a foreign processes 7->72 16 triage_dropped_file.exe 2 5 7->16         started        20 schtasks.exe 1 7->20         started        22 triage_dropped_file.exe 7->22         started        24 triage_dropped_file.exe 7->24         started        74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 26 schtasks.exe 1 11->26         started        28 gqxRqp.exe 2 11->28         started        48 192.168.2.1 unknown unknown 13->48 30 schtasks.exe 13->30         started        file5 signatures6 process7 file8 36 C:\Users\user\AppData\Roaming\...\gqxRqp.exe, PE32 16->36 dropped 38 C:\Windows\System32\drivers\etc\hosts, ASCII 16->38 dropped 40 C:\Users\user\...\gqxRqp.exe:Zone.Identifier, ASCII 16->40 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->50 52 Tries to steal Mail credentials (via file access) 16->52 54 Tries to harvest and steal ftp login credentials 16->54 56 3 other signatures 16->56 32 conhost.exe 20->32         started        34 conhost.exe 26->34         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/da1621ccdb3714c1fda08f6e783ff18962e4803fff14b3095d3e260c26642648/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 14:14:09 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ilcdtg3g4kmd7nar5xhqp7rrfrojab774klgck5hytayjteezea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1109e9c4a8dceb63160c59807b81adc6d4e82c28529c80bd1ff80993dc906508
AgentTesla
3b7316582c9b3d382e1050a88b6a07640c45de22be0f547c6bb04866e394e2b8
AgentTesla
4fab57203daa45d7bed9b0dbf64ab4bceb1b5d523a14f769e60aa595e53f78a1
AgentTesla
64bf8a51999065f086c5b77dd7a6f567393bcc79e2d361e3d3a8f1d501b80040
AgentTesla
798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28
AgentTesla
7a60f0565a5e3f4310090a6519ff72571a32d30bd4f89b641ce3aaccaab30b45
AgentTesla
82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd
AgentTesla
89e80aaeb7d157eb24c0ad0f6336d0c496e8a706eb74e987b5bd4084d5abc7cd
AgentTesla
8b345f73d84e6fc765d7907aaa33d844ef2c180024baeaa53ff895bab8e19356
AgentTesla
9af09f28e2254b8b942f1a81403815fdbbad3e38b5c509aed0cef2ccac413ef6
AgentTesla
+ 9'135 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210830-pb892vewt6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
cc0f8b52062335329e7b8e94018c4b777119a7cac295f2955164532f6e1c78f0
MD5 hash:
b6731169dde1b96faae5d5d6bb8c52aa
SHA1 hash:
f8504f25a817853835280bbdcb63db774ceeacf4
Link:
https://www.unpac.me/results/8f17ca6f-0d0b-45aa-ba2e-b3b45e3a3928/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/8f17ca6f-0d0b-45aa-ba2e-b3b45e3a3928/
SH256 hash:
0168cfbde0cab1c1c0cfd94d5f7c2f389a81883075b3a1bc46ca390bb6ac701d
MD5 hash:
922e1d3a6d9a093d18bb451459ca8d97
SHA1 hash:
0d5324970fa91beab95e0474429af913ef11e989
Link:
https://www.unpac.me/results/8f17ca6f-0d0b-45aa-ba2e-b3b45e3a3928/
SH256 hash:
da1621ccdb3714c1fda08f6e783ff18962e4803fff14b3095d3e260c26642648
MD5 hash:
f5bbe08ae98556abd753b479ce939e44
SHA1 hash:
4a4da0c67274da65e0ea70e8d2ad8a5f56c7cc62
Link:
https://www.unpac.me/results/8f17ca6f-0d0b-45aa-ba2e-b3b45e3a3928/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/da1621ccdb37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da1621ccdb3714c1fda08f6e783ff18962e4803fff14b3095d3e260c26642648

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183802/

Comments