MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e86a4c2aa642b659488c7b5dc3b241d17b9e43cd678d7856e69e14e92bce2836. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	e86a4c2aa642b659488c7b5dc3b241d17b9e43cd678d7856e69e14e92bce2836
SHA3-384 hash:	ccfb355cb5fe2ab5a99cc595fa63e6fcc2c285d4a9278780e004aefb11e9f2160dc76b944874542087e7b1d7674d7f92
SHA1 hash:	02c2b850ebb9a8416ad7d36771e571b99761c4ce
MD5 hash:	2a001b048153a1e600faf211720fa84b
humanhash:	violet-alaska-pip-low
File name:	NBUSpRGwKqFfAcoxptdwkgXyGpxRqE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	221'696 bytes
First seen:	2020-10-09 09:42:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:mGWkoFmrToLtVU8G7IgzUCXS6Kk3xICwUoX+n3FNWGbfZ+l7gOzTcCNtDyGS:m3V7U8t+Uwl3GOeufYmqT5TDy
Threatray	415 similar samples on MalwareBazaar
TLSH	7F242A166714D451CB6F417FC016820831F1D707A72AE78F5AA6D8FA2F812CEF92B8E5
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/69519/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/486585

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e86a4c2aa642b659488c7b5dc3b241d17b9e43cd678d7856e69e14e92bce2836/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-10-09 09:41:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5bveykvgik3fssempno4hmsb2f5z4q6nm6gxqvxgtykosk6ofa3a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2df3cf76977b778b4ffe30de57192b6db63debdd422a296d788f8552be32181f

AgentTesla

535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64

AgentTesla

5a6ff674194fd8f0b7221de0d402f383eec634054768bd2df0e7adc2fa825953

AgentTesla

5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537

AgentTesla

60db9d2df465b5bfcf2d1c0a71559c57c561d0746a0f3fd7f4e8b9203871cfb8

AgentTesla

a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe

AgentTesla

aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f

AgentTesla

eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f

AgentTesla

f00571fb0c082a4a7d66d08af1628b4be7515a74e153adee51db8136ed5918ce

AgentTesla

+ 405 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201009-p671ec9ccn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

e86a4c2aa642b659488c7b5dc3b241d17b9e43cd678d7856e69e14e92bce2836

MD5 hash:

2a001b048153a1e600faf211720fa84b

SHA1 hash:

02c2b850ebb9a8416ad7d36771e571b99761c4ce

Link:

https://www.unpac.me/results/33a2b649-1da9-4def-a363-e85e7dbe2ee4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e86a4c2aa642b659488c7b5dc3b241d17b9e43cd678d7856e69e14e92bce2836

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/69519/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample