MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e56094da948e5020c773f7f71d9b485678d477130cd593d14bfe2876feb8bd4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e56094da948e5020c773f7f71d9b485678d477130cd593d14bfe2876feb8bd4d
SHA3-384 hash: b686e2341ee8da863656ba3dc08cf99bf13271a4f5cbc8ddc5e7a74b0a4bb97cb9b5c0441de3ffa99d68dbc987b8500f
SHA1 hash: 4dc56b098e00a7743810a0aa27477d8fde168a2c
MD5 hash: a8ebf8a2d5a0cb645b2d99c049567816
humanhash: october-connecticut-georgia-high
File name:SecuriteInfo.com.ArtemisA8EBF8A2D5A0.21249
Download: download sample
Signature AgentTesla
Create hunting rule
File size:971'264 bytes
First seen:2020-09-03 11:00:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:Tg39EVt5atw7kyEo7fHgWAyvddZMP2GJ5erOR:Tg34aG/s5f
Threatray 69 similar samples on MalwareBazaar
TLSH 0C25A2E5AAB15C1EE43CC532836459C27B2093C13A09CF2F64FA221D5EE26DB7F15C5A
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54739/
Detection(s):
SecuriteInfo.com.ArtemisA8EBF8A2D5A0.21249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/458230
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e56094da948e5020c773f7f71d9b485678d477130cd593d14bfe2876feb8bd4d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-03 07:19:45 UTC
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vqjjwuurzicbr3t673r3g2ikz4ni5ytbtkzhukl7yuhn7vyxvgq._file
Verdict:
unknown
Similar samples:
159921268e1634b4695fdeb118786e1d8b3607e775ec42913beeae5f497d0011
AgentTesla
221c96dcf9d3f774e6d79c3db0c56885381f2134f381cb471f08c75072adba26
AgentTesla
3194098767fd446cff02e280f8a7f83c3d76ecf00432fbec5b8ab01a6cf3f8e2
AgentTesla
4b957c9c068b3545eeebdafc11543b47228daf7e5bfa9500cf5660c1236a8184
AgentTesla
4ecb3055a481b6c96204ce29bf3fa60598c6105137dd564b5824cf201e808433
AgentTesla
72401bf3b38c9ea0fafb14afa9fd35484add4163752be1f7243a9e7d6fa3c7af
AgentTesla
acf68538ba67b523ff52999cc40e2ef3383c53b5b5fe53c634cf7c52f5c9dbe3
AgentTesla
bff4a5c35e2b08a5bc0e1b340e6b8936549ed66689af5f2f0ab0be3ebef2b705
AgentTesla
d0894e4e4298d1dda4d2f1072eaefac087c6723206cf07260f1ab075f47169ed
AgentTesla
fbab77a9399461b71d65d586ad2aac134941f7fac37e5e607822749a627b3937
AgentTesla
+ 59 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200903-pz27ry26aa/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e56094da948e5020c773f7f71d9b485678d477130cd593d14bfe2876feb8bd4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54739/

Comments