MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efa3b6173c92f365051817f1b15924769b10c443e3f1ee2de18d5a4a939d816f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	efa3b6173c92f365051817f1b15924769b10c443e3f1ee2de18d5a4a939d816f
SHA3-384 hash:	ef9833530db488e024fdf17c21cbe0681570fa8486b7b8978a722679ba3a2b38db8cc4d4ae81864ed4c19d329cab5556
SHA1 hash:	e3003278fc99072aac9a900035913693fd1533cf
MD5 hash:	21243384787df75b2cb7a6e3e50f1f92
humanhash:	stream-failed-texas-nineteen
File name:	Customer Ref[1004465929].exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'196'032 bytes
First seen:	2021-08-26 20:28:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:wBbK4HtLGEUBXeu0BU5SisIid0kph+QrA2r79gEflEGD/XnyP112PdsfLosmoyJf:wtfjoBB2f3hjCDFGyRYsqud0YWS5D
Threatray	9'015 similar samples on MalwareBazaar
TLSH	T19B45D93DBD252633E7BA86F8C4860D4EE69414CB22734DDF42D2A7892117617B6FA31C
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

376

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Customer Ref[1004465929].exe

Verdict:

Suspicious activity

Analysis date:

2021-08-26 20:30:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f34c0f2d-1566-4296-820b-28c441a162f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/182755/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Unauthorized injection to a system process

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d6f304ae-9129-4847-b45c-18630ce91683

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/840056

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/efa3b6173c92f365051817f1b15924769b10c443e3f1ee2de18d5a4a939d816f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-26 20:29:04 UTC

AV detection:

13 of 45 (28.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=56r3mfz4slzwkbiyc7y3cwjeo2nrbrcd4py64lpbrvneve45qfxq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

09e134b0c8490f0b7dcdb46da01235383cd74bcb34f3f03cb43e17c1fb751945

AgentTesla

5c55cbcd1262b907a81eb23b2ef9000fd8cfcdf71630a1ca29d019e1cfa786d9

AgentTesla

8ec9f97acd0d3501af739cf4bc78d18f699ab364565f283020c29aea7e899aa9

AgentTesla

c63ce7610313c513c6a7b4670b24f50f557705f0d86865359b7dd647abff0041

AgentTesla

cae19382d1a934d119fcd89aa7aa078e51498ca0d17577e2471c275e5e996f87

AgentTesla

d8ec2bb84895a71e5993448c80edf5a544ac3559ff7e9076b7873baa38fc372b

AgentTesla

e210601f4ab9057633151fce1ae6fae7d88384d44c898b91965ca3eca5ccda35

AgentTesla

e33ca99c956ad81a471ef20f8763d7acb9a6d019cc925a4901372b7f624f9c60

AgentTesla

ecc97de2ca2b66d84eac101021be281c26115c238a0bebcddfa5ded03a0ecdb2

AgentTesla

+ 9'005 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210826-5k7y1vn61e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

f3062f4e58cd3602bdf79258d37caa50a30dcbbae02d7e55af651dc28c92ab03

MD5 hash:

09ed6fd2f5544a1b3ae18b8206769cc9

SHA1 hash:

d7ca2c21a5159c9bef634676029da03c3a4734e4

Link:

https://www.unpac.me/results/5ebe65d7-fce1-4512-b3c0-bf5204182547/

SH256 hash:

5fb73982533d4a88239264c25cadf953fcbbcb3f583d2b6c50cbbc8cccf6aff6

MD5 hash:

f712c1435184a358b8099c70f2348963

SHA1 hash:

873ff18d42272c6ed9ad621d23072112dcee2766

Link:

https://www.unpac.me/results/5ebe65d7-fce1-4512-b3c0-bf5204182547/

SH256 hash:

c93ec5e02e54a574a3346c66816cb190e85560372332e1d407d3f6a93029d461

MD5 hash:

4a9b2364b46b648bd9e56d32b6aaafed

SHA1 hash:

819caf2b858482c8cc99375263575498f6efd526

Link:

https://www.unpac.me/results/5ebe65d7-fce1-4512-b3c0-bf5204182547/

SH256 hash:

efa3b6173c92f365051817f1b15924769b10c443e3f1ee2de18d5a4a939d816f

MD5 hash:

21243384787df75b2cb7a6e3e50f1f92

SHA1 hash:

e3003278fc99072aac9a900035913693fd1533cf

Link:

https://www.unpac.me/results/5ebe65d7-fce1-4512-b3c0-bf5204182547/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/efa3b6173c92/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/efa3b6173c92f365051817f1b15924769b10c443e3f1ee2de18d5a4a939d816f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182755/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample