MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1846498fcbc5d92489a4121cda2250d1d772e1a41890ab1bc4b8ca3c821eda2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1846498fcbc5d92489a4121cda2250d1d772e1a41890ab1bc4b8ca3c821eda2
SHA3-384 hash: a910399eb0e25b37cdc80a0c6f0e66f93bcacd339a65f83eb0ba425ea1e2320fd7035439792fcd416a4424415624032f
SHA1 hash: 94032be444f2f7106748a11f2d9342231cbb655c
MD5 hash: 048b882da28eaa326a4b8100b0fe0715
humanhash: apart-william-crazy-low
File name:SecuriteInfo.com.Variant.MSILKrypt.4.3521.13757
Download: download sample
Signature AgentTesla
Create hunting rule
File size:755'200 bytes
First seen:2021-03-08 10:53:07 UTC
Last seen:2021-03-08 11:38:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:e+7WF7hQmhH0GEIGx1aA7hIWLVEy3rPXTwQZ5hTABbLZupcBNYAmQ:e+7G7hAfj7hI8VEybPcQZ/ABHZupcqQ
Threatray 11'081 similar samples on MalwareBazaar
TLSH 84F4DF144B3C1862F2569F7B343BC9366D96AEA90547F9102AEDBC6B393C33811FC685
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ040820_Items_and_products_Aeon_Viet_Nam_Co.doc
Verdict:
Malicious activity
Analysis date:
2021-03-08 07:10:32 UTC
Tags:
ole-embedded exploit CVE-2017-11882
Link:
https://app.any.run/tasks/c9138fb1-fcfd-4aff-b733-c243576c4bfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122746/
Detection(s):
SecuriteInfo.com.Variant.MSILKrypt.4.3521.13757.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching the process to change network settings
Reading critical registry keys
Stealing user critical data
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/631086
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Yara detected Beds Obfuscator
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 364515 Sample: SecuriteInfo.com.Variant.MS... Startdate: 08/03/2021 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Found malware configuration 2->31 33 Sigma detected: Capture Wi-Fi password 2->33 35 6 other signatures 2->35 8 SecuriteInfo.com.Variant.MSILKrypt.4.3521.exe 3 2->8         started        process3 file4 21 SecuriteInfo.com.V...rypt.4.3521.exe.log, ASCII 8->21 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->39 41 Injects a PE file into a foreign processes 8->41 12 SecuriteInfo.com.Variant.MSILKrypt.4.3521.exe 7 8->12         started        signatures5 process6 dnsIp7 25 smtp.iotoils.com 12->25 27 us2.smtp.mailhostbox.com 208.91.199.224, 49732, 49733, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->27 23 C:\Windows\System32\drivers\etc\hosts, ASCII 12->23 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->43 45 Tries to steal Mail credentials (via file access) 12->45 47 Tries to harvest and steal ftp login credentials 12->47 49 3 other signatures 12->49 17 netsh.exe 3 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1846498fcbc5d92489a4121cda2250d1d772e1a41890ab1bc4b8ca3c821eda2/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 00:05:47 UTC
AV detection:
27 of 47 (57.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gcgjgh4xrozese2ieq43irfbuoxolq2igeqvmn4jogkhsbb5wra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c7de15126c912cd1ab00cb0ba1f5504272eba4d87912f4251431892d5a2a375
AgentTesla
0fc60e6149afb0a4a187d8d2d593a8939460ee688ca36091a825489e0d1ed399
AgentTesla
1889cc3d14163844c0ac599ded1dcbb904510b10d2ee4e5f03e3e2cf81040d79
AgentTesla
24e7c637d79dab5d54c17af32acb51ff82ea26b6a76ee58c22c4ef97254c09db
AgentTesla
38fc7dbc46afc77e54a4810ba17964faaa85ef9ca526890306fcc2c5ecc398db
AgentTesla
44ba37fc9028cfa910e1ab8b805fa455ba0ba2d6020c6da3971ed61a490513d3
AgentTesla
a219a59846f747474e83c29b015f831313d83aebf99823b5f12e58a86dff301f
AgentTesla
ad4e9fc11e43cf6bb3b98ee29517dcd3b6aaee90c7a9ef88fe84a3a0056e92ec
AgentTesla
da724467df8f1c1cb077ad7879ad8790cdef010eab22b382fbd2ed6e87696d87
AgentTesla
f96f26859a0e34567a6042ef891e59c27a62f6630d9211be0bbbcac749efe988
AgentTesla
+ 11'071 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210308-nsp2nk6b6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
Beds Protector Packer
AgentTesla
Unpacked files
SH256 hash:
a1eec2912afa8ca0a03c3e8f9e94cca2dea8bb87922bc2caaa7fb40f8ae492e4
MD5 hash:
e1b2ba3950e5a5ac266393cd1d457494
SHA1 hash:
4e790ccd4f89a331adfabf3ff79f5492f5db1eed
Link:
https://www.unpac.me/results/d47bbc27-8f7a-42bc-af97-b476a8d1762b/
SH256 hash:
e58a6f58d2bd097b4b4dccb7ad239f15f7a776a2f671cb8c0e7a4ed59fd6f014
MD5 hash:
d4fb58a7aba9f79a57e1c787aa1f65b4
SHA1 hash:
fad40de461565b2a1b2bd47f0ca86b2a283cc388
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/d47bbc27-8f7a-42bc-af97-b476a8d1762b/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/d47bbc27-8f7a-42bc-af97-b476a8d1762b/
SH256 hash:
f1846498fcbc5d92489a4121cda2250d1d772e1a41890ab1bc4b8ca3c821eda2
MD5 hash:
048b882da28eaa326a4b8100b0fe0715
SHA1 hash:
94032be444f2f7106748a11f2d9342231cbb655c
Link:
https://www.unpac.me/results/d47bbc27-8f7a-42bc-af97-b476a8d1762b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1846498fcbc5d92489a4121cda2250d1d772e1a41890ab1bc4b8ca3c821eda2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f1846498fcbc5d92489a4121cda2250d1d772e1a41890ab1bc4b8ca3c821eda2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1053977/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122746/

Comments