MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db77ff50901fe8d7cb2b403da6f82cff368511deaa4d814b9b8f58712ad7fc3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db77ff50901fe8d7cb2b403da6f82cff368511deaa4d814b9b8f58712ad7fc3e
SHA3-384 hash: d7d44e1c5e0e84061c58925f4d53ead414f9608c2684173a7b86f340ef577afbe9993a4ff10c16362a009ab72e3dfb7f
SHA1 hash: 988ec531875c0c12e497ab00d1a1caaf0bf03ef9
MD5 hash: 6f076a92c41e53b1dd2be0c3634f6a76
humanhash: princess-bacon-fruit-alanine
File name:6f076a92c41e53b1dd2be0c3634f6a76.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:442'368 bytes
First seen:2020-10-16 14:27:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:vvcNNXhK/s2NiUa1gwcfJQ2z9aeQ4qLqwmJTGg:vYMi1afK2zw4qLW
Threatray 608 similar samples on MalwareBazaar
TLSH 169423132AF88E7FE999C2FE60213B809371414B7A03D1FD1E9979DB715B3864A45387
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72101/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493834
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db77ff50901fe8d7cb2b403da6f82cff368511deaa4d814b9b8f58712ad7fc3e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 19:35:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3n376ueqd7unpszlia62n6bm743ikeo6vjgycs43r5mhckwx7q7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
11f3b25ae9fd0ba16395cb35d4d528f5180ecb436d0e095f9f4f0ff1e468e8eb
AgentTesla
25f48722bf24e935d7bdca104b416f87424ced29dfec2fbebc817725f09af5f1
AgentTesla
5c5ebd97c48cdd89aeaf3977c3f7951b5351e88c6e88e09627357fc1e1226c22
AgentTesla
67eb81371ab1f5b10fee97f764cc640790bb518fa452554b34ddb4f2f7f74391
AgentTesla
6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146
AgentTesla
7b7fd4955b651b7279580f7f52d30b7539becf0a637257ee53abeb7dcd03e3e8
AgentTesla
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
AgentTesla
a3d2f3554c4effeb330f38e85abff7c23a37c0078cd8ddcabd7f7f61809db8a3
AgentTesla
ca74ca06ac3bfd92aabfc85fc7e10ae5d9e2e6306ed488eb7bf0b06640890a9f
AgentTesla
f9dfd82d610e342a0d0a21dad1df689c979f863ee1b9f978c56dee49c5bfbb69
AgentTesla
+ 598 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201016-ywfr4scfls/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
60dbfdbe4dbea13ffc30c9b531789e44f8d159954e01ed448ad0559b73c4cf7f
MD5 hash:
dbd2877f902af0cda0c164a4baea2a3f
SHA1 hash:
8806665a50e71718e81b60d61c8339b0b2bf7f02
Link:
https://www.unpac.me/results/acdf6b68-230d-414e-8c0e-e458076a957f/
SH256 hash:
8fcd1c69c83057c1f1d74939685916a6e460df2fde9f0884aa183980afd47638
MD5 hash:
ee0cc18ddf17f6e7d1cd8fa2d2ad1088
SHA1 hash:
8d8b2d23e718354c6c69f2d47b7ffda7d1dd2b0f
Link:
https://www.unpac.me/results/acdf6b68-230d-414e-8c0e-e458076a957f/
SH256 hash:
db77ff50901fe8d7cb2b403da6f82cff368511deaa4d814b9b8f58712ad7fc3e
MD5 hash:
6f076a92c41e53b1dd2be0c3634f6a76
SHA1 hash:
988ec531875c0c12e497ab00d1a1caaf0bf03ef9
Link:
https://www.unpac.me/results/acdf6b68-230d-414e-8c0e-e458076a957f/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/acdf6b68-230d-414e-8c0e-e458076a957f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db77ff50901fe8d7cb2b403da6f82cff368511deaa4d814b9b8f58712ad7fc3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe db77ff50901fe8d7cb2b403da6f82cff368511deaa4d814b9b8f58712ad7fc3e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/72101/
  
URLhaus
https://urlhaus.abuse.ch/url/698171/
  
Delivery method
Distributed via web download

Comments