MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12
SHA3-384 hash: b09db7cbaacd8b4cf0eac039dbe9df69eb7d87c8b730fef9ed634b8aa43bf66a5c06332dcd156de4a0bcb997dd3721ab
SHA1 hash: f166bcfa01e9f8040f6dec6e4a877e8fb4fb3828
MD5 hash: 20201a45a4ed588beb4a894c60128e5a
humanhash: mississippi-jersey-equal-violet
File name:MT TBN PARTICULARS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:885'248 bytes
First seen:2021-08-06 15:28:09 UTC
Last seen:2021-08-06 17:01:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:zb0wFVMNjPEhTKeGCUDk5zGV4ESQMtYp:zYwFShP2TZGCUqzsLeap
Threatray 7'973 similar samples on MalwareBazaar
TLSH T1F415DF703AFE5714E1BBE7304636914087F6F63BDB26CB4E2C64609C9A73A824712F56
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MT TBN PARTICULARS.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 15:29:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/99d30320-5bef-4131-94ed-a313977f9f62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177062/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15160.29352.4140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/492ca42f-0c62-4d52-9202-9ca4c45f926d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828397
Signature
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460828 Sample: MT TBN PARTICULARS.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 9 other signatures 2->50 6 MT TBN PARTICULARS.exe 3 2->6         started        10 rmKknnU.exe 2 2->10         started        12 rmKknnU.exe 3 2->12         started        process3 dnsIp4 26 C:\Users\user\...\MT TBN PARTICULARS.exe.log, ASCII 6->26 dropped 52 Injects a PE file into a foreign processes 6->52 15 MT TBN PARTICULARS.exe 2 9 6->15         started        54 Multi AV Scanner detection for dropped file 10->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->56 58 Machine Learning detection for dropped file 10->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->60 20 rmKknnU.exe 2 10->20         started        28 127.0.0.1 unknown unknown 12->28 file5 signatures6 process7 dnsIp8 30 transmeridian-sas.com 88.99.141.149, 49734, 49735, 587 HETZNER-ASDE Germany 15->30 32 mail.transmeridian-sas.com 15->32 34 192.168.2.1 unknown unknown 15->34 22 C:\Users\user\AppData\Roaming\...\rmKknnU.exe, PE32 15->22 dropped 24 C:\Users\user\...\rmKknnU.exe:Zone.Identifier, ASCII 15->24 dropped 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->36 38 Tries to steal Mail credentials (via file access) 15->38 40 Tries to harvest and steal ftp login credentials 15->40 42 3 other signatures 15->42 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 08:55:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=42jctof6koaqibqtnyfcuhawhdzvun4q2byglc66i7hbx2ptvmja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
326267c4f5c3018d845a661a8fad196837d7245b6ed5629d22d43334b588c0ed
AgentTesla
38b8e69e6478da910a8f0d1322a8c17bf16b7ca2f8be612f58c1e09fcf266431
AgentTesla
67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e
AgentTesla
6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408
AgentTesla
7ef143a1a946b149a94dbc3d2e8622cf1e5802914ee74fd5caed0ba960fb39d0
AgentTesla
8079c489c34ad2b7412bd0fcaf69d31639827d60f35d7f8c0df6c58b293e91d1
AgentTesla
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
AgentTesla
b15d344bbd7da01d707a4811f5a083661a90bf8ef743498145feee4d8cd7b583
AgentTesla
f6398abe67fd7faeccf89de7f810ee2767ee05f96a13821ba48f609aad5da75e
AgentTesla
fb1c77156c32d3643f2b21550110a48c3bbf869d2f0aa099b7400646e1fcaeb5
AgentTesla
+ 7'963 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210806-am76dzl9he/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1
MD5 hash:
c273f926e2a29bd62cc8f27b569a0b2a
SHA1 hash:
e08d302cab3e11d776599a6b0537207fce6f9c51
Link:
https://www.unpac.me/results/1b686164-c5b8-4af3-abaf-a0ec190d9c26/
SH256 hash:
545e5def8e61ef4ddcf4ac225ef6271044c02c686c1e3846440731862b4c8d46
MD5 hash:
0ca04024b4db7e9b5a4e8fed4f732a0b
SHA1 hash:
c2d5b730aa76b4df9a9d6289cc063d3013f67b5c
Link:
https://www.unpac.me/results/1b686164-c5b8-4af3-abaf-a0ec190d9c26/
SH256 hash:
a87c0ed2fadf0aecb560de03b45f6fe703306f3dafd631220d67c8f873ac7fac
MD5 hash:
ba1eeb249fb82d33bd2502f91b5c9163
SHA1 hash:
9005a6b15acf956479d999871cbb9964b39ac6b1
Link:
https://www.unpac.me/results/1b686164-c5b8-4af3-abaf-a0ec190d9c26/
SH256 hash:
e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12
MD5 hash:
20201a45a4ed588beb4a894c60128e5a
SHA1 hash:
f166bcfa01e9f8040f6dec6e4a877e8fb4fb3828
Link:
https://www.unpac.me/results/1b686164-c5b8-4af3-abaf-a0ec190d9c26/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e69229b8be53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/177062/

Comments