MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efb3cc17330b519d970353a2f8da8ab9a10abbed7fb5ac099bd4ed575ba21fa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efb3cc17330b519d970353a2f8da8ab9a10abbed7fb5ac099bd4ed575ba21fa5
SHA3-384 hash: 23f60392c895d300772667de8fb391dc4acd334accc47d817ecdc7976f26a6fc57a4750c585f06d13bf2ba78916fe6d8
SHA1 hash: 3166d96dc5c719df87abc726ee1b8785ef8ee7d8
MD5 hash: a5da6bea30981185e9dadaaa06ccf45b
humanhash: kitten-lactose-montana-queen
File name:a5da6bea30981185e9dadaaa06ccf45b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:505'344 bytes
First seen:2021-07-22 07:59:41 UTC
Last seen:2021-07-22 08:47:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:dFhiZ9ZM3qZ7871dHdnVjcNX/J6oj/2V7BNHipLIyLBmDMx399GSyjp:PAo71dHd966w/2VtNCpIjKrG
Threatray 7'203 similar samples on MalwareBazaar
TLSH T12CB422702E86FDE3DB3E9B32626731427F3461836A52EA4DD9D110DD4A5B746AA03333
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a5da6bea30981185e9dadaaa06ccf45b.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 08:23:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34771db0-c139-4cf6-b40d-ada49adbc1b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173251/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.17308.23120.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f3d6644-2799-4dac-84e1-ace6e8a97fe3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820006
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/efb3cc17330b519d970353a2f8da8ab9a10abbed7fb5ac099bd4ed575ba21fa5/
Threat name:
ByteCode-MSIL.Coinminer.BitCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 00:57:09 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  4/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=56z4yfztbniz3fydkorprwukxgqqvo7np622ycm32twvow5cd6sq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
284f84d96664f2cd87973b7251e93e4e6dd0f954ec5f043c9f95e5cbddeb6420
AgentTesla
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03
AgentTesla
359de4e28b1286f601c3d8cc5987ff8f81335f049411f00d99496c2f56bbade0
AgentTesla
6e8ba9ccbcfe6fb5e8ff5ba198398b3e7994f8afc6d51140496a3b4c1d67e20f
AgentTesla
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386
AgentTesla
cf3f60295611af5ef3e9c80a9ab1a09928431a8c4a1561f7139267db480e05cc
AgentTesla
d0161531f5293cd6ed32289dbdcac085c08fcb305d66f0905f2ec10fbd6be956
AgentTesla
e81c6b84f83b9ac8233102f31e21bfeeab4ffaa5aa4c02987ce910de908a83ed
AgentTesla
+ 7'193 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210722-nrxbzszdva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendDocument
Unpacked files
SH256 hash:
eb40424ca9fbc5b7e57ffc8f7e71be97a9a5d6ce2150c38628bc812626003dbb
MD5 hash:
b1fccdfa3042e0ddb0a6cd51bb8f73b3
SHA1 hash:
fb14ee4e67128fb36555212321d3e770027ab007
Link:
https://www.unpac.me/results/2c4aec00-a04c-4a7c-95fd-b86e4670a9bb/
SH256 hash:
341631358de2061ae714cbd0895e83574e5dbb6be640d06943acaa101e5ec671
MD5 hash:
42f2474dc4286174b7dd5966640dda72
SHA1 hash:
92f1429bec6430f20684f1e4da48e8c736fb2cd3
Link:
https://www.unpac.me/results/2c4aec00-a04c-4a7c-95fd-b86e4670a9bb/
SH256 hash:
90657ac82bd32e57624e578a35257f070cbc5546ba0f701fe7195320e869d208
MD5 hash:
8cd481a3ff96ee7da74b808dc4abbd6c
SHA1 hash:
5cfa232906a94ad7c5de5c4ebf1a009e3c5bac1b
Link:
https://www.unpac.me/results/2c4aec00-a04c-4a7c-95fd-b86e4670a9bb/
SH256 hash:
efb3cc17330b519d970353a2f8da8ab9a10abbed7fb5ac099bd4ed575ba21fa5
MD5 hash:
a5da6bea30981185e9dadaaa06ccf45b
SHA1 hash:
3166d96dc5c719df87abc726ee1b8785ef8ee7d8
Link:
https://www.unpac.me/results/2c4aec00-a04c-4a7c-95fd-b86e4670a9bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efb3cc17330b519d970353a2f8da8ab9a10abbed7fb5ac099bd4ed575ba21fa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe efb3cc17330b519d970353a2f8da8ab9a10abbed7fb5ac099bd4ed575ba21fa5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/173251/
  
URLhaus
https://urlhaus.abuse.ch/url/1411476/
  
Delivery method
Distributed via web download

Comments