MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfb100697371119ee4e093d73c7c71a0a07c14bdc913f906f0f3cb57b287bbb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfb100697371119ee4e093d73c7c71a0a07c14bdc913f906f0f3cb57b287bbb5
SHA3-384 hash: e2778c03e4bf842c4a424d94e8d5f962dec141bd446ce3cdd070012edd7bba349b39e740831b90475d3c500d4962aebc
SHA1 hash: 64a187795b6aff901c923a2e762c1bd8b2a62ca4
MD5 hash: 7f9a5a012b7ad438165dd2c2cc4522e3
humanhash: mike-speaker-friend-one
File name:7f9a5a012b7ad438165dd2c2cc4522e3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:473'600 bytes
First seen:2021-09-03 12:47:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:pY2cgP4BBo0++ye+yvHK5QcsH31Wi3Sw9s6IX67C9jYaLMLuLl:pYrBiL/yC58X
Threatray 10'505 similar samples on MalwareBazaar
TLSH T1EAA4CF9C7250B6EFC867C972DDA42C64EA61A47B530BD203A45722ED9D0D6DBCF120F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7f9a5a012b7ad438165dd2c2cc4522e3.exe
Verdict:
Malicious activity
Analysis date:
2021-09-03 12:52:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e87cf1a1-d69b-4470-ba71-a29763f28eda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185172/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.17318.25806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a0c66e5-9b01-4a8b-b51a-54857b685de8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844832
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477260 Sample: 4D3uDn2hzm.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected AgentTesla 2->62 64 5 other signatures 2->64 7 4D3uDn2hzm.exe 7 2->7         started        11 NLKBQYR.exe 5 2->11         started        13 NLKBQYR.exe 4 2->13         started        process3 file4 40 C:\Users\user\AppData\Roaming\YUzJSyyic.exe, PE32 7->40 dropped 42 C:\Users\...\YUzJSyyic.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpD4C7.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\4D3uDn2hzm.exe.log, ASCII 7->46 dropped 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 7->70 15 4D3uDn2hzm.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        72 Multi AV Scanner detection for dropped file 11->72 74 Machine Learning detection for dropped file 11->74 76 Injects a PE file into a foreign processes 11->76 22 schtasks.exe 1 11->22         started        24 NLKBQYR.exe 11->24         started        26 schtasks.exe 13->26         started        28 NLKBQYR.exe 13->28         started        signatures5 process6 dnsIp7 48 us2.smtp.mailhostbox.com 208.91.199.224, 49716, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->48 36 C:\Users\user\AppData\Roaming\...36LKBQYR.exe, PE32 15->36 dropped 38 C:\Users\user\...38LKBQYR.exe:Zone.Identifier, ASCII 15->38 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->50 52 Tries to steal Mail credentials (via file access) 15->52 54 Tries to harvest and steal ftp login credentials 15->54 56 3 other signatures 15->56 30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfb100697371119ee4e093d73c7c71a0a07c14bdc913f906f0f3cb57b287bbb5/
Threat name:
ByteCode-MSIL.Worm.LovGate
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 08:22:10 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36yqa2ltoeiz5zhasplty7drucqhyff5zej7sbxq6pfvpmuhxo2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
AgentTesla
352dcb6d07e24df2a517db0ba594f02e46692e2fb5ff632fa9b44d6319cdf268
AgentTesla
41576a4ea5b8e1d0c9a1ca017e2a5265c1d7ae9e32f2327871e8f9acc6219fa3
AgentTesla
9525197c77e5de1094ea33c3cd76a3e87c91342b4d41148442808bc27b4e2ca6
AgentTesla
b9a0f67098094ecfc0675a49e35a8a7b088c459c686b383a0ad0c35ea6975f6c
AgentTesla
cf9fba55a1a9e94e666cbca5b10daa9c4ac1c097f720c537ca2d6fa1d8fb0d17
AgentTesla
e758d7eed6c58b468d4e83295c69a68c013b42e6442e8791797777110f01fa02
AgentTesla
ed6849e36e1a1df98b7957c684b3aedeb08674f12070ba105098364ef2c9f96d
AgentTesla
+ 10'495 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210903-p1xktsgcbn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/16feb7b9-9472-400e-b0dc-05c416530da2/
SH256 hash:
eac13af047534649bef3b15d141af23be8f65cf030e7bb7170785e7e2ef211b6
MD5 hash:
75f612e376722855557af99226132261
SHA1 hash:
d2e54ec6292453e07610ce306d48f78b79180898
Link:
https://www.unpac.me/results/16feb7b9-9472-400e-b0dc-05c416530da2/
SH256 hash:
c76121037408ebe9d5a3dd012887841ecb004a750d075e81192dfd95d3ab7034
MD5 hash:
8433a873f526a4469ebf24f08c807ee7
SHA1 hash:
58e2d3107f8f627015ba03ccbce8e681d7007cb8
Link:
https://www.unpac.me/results/16feb7b9-9472-400e-b0dc-05c416530da2/
SH256 hash:
dfb100697371119ee4e093d73c7c71a0a07c14bdc913f906f0f3cb57b287bbb5
MD5 hash:
7f9a5a012b7ad438165dd2c2cc4522e3
SHA1 hash:
64a187795b6aff901c923a2e762c1bd8b2a62ca4
Link:
https://www.unpac.me/results/16feb7b9-9472-400e-b0dc-05c416530da2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfb100697371119ee4e093d73c7c71a0a07c14bdc913f906f0f3cb57b287bbb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe dfb100697371119ee4e093d73c7c71a0a07c14bdc913f906f0f3cb57b287bbb5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1583770/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185172/

Comments