MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dce8c2e5bfa677c2971dd88a020fb27193c11fc9759fbe9ed52704fa7ec9f7f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	dce8c2e5bfa677c2971dd88a020fb27193c11fc9759fbe9ed52704fa7ec9f7f2
SHA3-384 hash:	9593adaf87e02aa126f6f3c5902f78d2d89d762b5a37fc5fb390a2b6e27cfca84508ee2ae2832419aea565d3c5ffe5d0
SHA1 hash:	405d366fc7872cb1de12ea8826ba93fca3121843
MD5 hash:	d20eb19209223cce7458d01955130d51
humanhash:	salami-black-foxtrot-sad
File name:	TiGvmN4uIo885gn.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'826'304 bytes
First seen:	2021-05-13 14:50:42 UTC
Last seen:	2021-05-13 15:03:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:fx9vT3HDJgA01EtREjXkD8cZM81lxm0ZQ:59vT9qGR4XkD8w313m0
Threatray	4'917 similar samples on MalwareBazaar
TLSH	3C859D122F050F5CE43DABBDB436540987F87D4AF3E0EE5DB85939D827BAB028D46252
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TiGvmN4uIo885gn.exe

Verdict:

Suspicious activity

Analysis date:

2021-05-13 14:53:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/76c9458d-5590-4d7e-bbb3-df8ce545f893

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/156234/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/781120

Signature

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dce8c2e5bfa677c2971dd88a020fb27193c11fc9759fbe9ed52704fa7ec9f7f2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-13 14:43:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

147

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3tumfzn7uz34ffy53cfaed5sogj4ch6jowp35hwve4cpu7wj67za._file

Verdict:

unknown

AgentTesla

113c1364bffb0f75376c6728d53bc47304fd8f8077dc0765f1b924f04d5456e8

AgentTesla

9057936347c73028c880c06c0f41c373e3db3b75085f5b8da60966025c545d4b

AgentTesla

9565ebcbb8cc07c12a28b5492741c237c0574758c6d033216bb10dc83bf21335

AgentTesla

ad955529bf96483828333f5a0b6c69d1bdacc0798123470d8de0875c75b9010d

AgentTesla

b1617ffb1927fe6176fbffc4ebb242635c19bb656811967cba47493a4a43a580

AgentTesla

cd33314417e59031e5fb210cd40ce59202160d1a711c9e55fe1c3b04dc7431a5

AgentTesla

d6ff339c056def1d5e03ecbfea9e55dbd8f556885b2fdcce27ddff7e040152c8

AgentTesla

dc688750bac89efbc67a9953b71351ab3b59551e0d293602ca3baaf75f8c5d71

AgentTesla

f076d51c4fa09d0e318d43f41560fa50b8c4a4f327effa8aeafedf947800e4d8

AgentTesla

+ 4'907 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210513-pqah3c8y8j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	hancitor_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/156234/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample