MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192
SHA3-384 hash:	50bd60a671cfac74337f9333b175eab064dd1df92b87665c568dd344cc4ed35c974bafc46c7e12baf5b09a0bdc626b23
SHA1 hash:	6ce65f8457ee46a82e263927b866a40a2b026ba1
MD5 hash:	5a67233262378b119e45615d439e3f7d
humanhash:	orange-cup-jig-winter
File name:	SE20210205590.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'647'104 bytes
First seen:	2021-03-08 05:27:15 UTC
Last seen:	2021-03-08 07:38:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:3bSSD5ehAOlHkdBWqeUayGz+uVXJZ1u7AffqFQpObTGa:FAKQkdiUzGzVXJbuTQpObT
Threatray	3'060 similar samples on MalwareBazaar
TLSH	D8758C09FB44AEA6D4194F3A8403841883F9AD5763B6F36F79C4BCDA08357858E5F09B
Reporter	Anonymous
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SE20210205590.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-08 05:05:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ef68a248-36c0-4331-964f-4ccd7a9c8f0d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.generic.ml.20043.17564.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/630863

Signature

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-08 03:40:07 UTC

AV detection:

4 of 48 (8.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6okv5qmfgqo7boreicjaexredjsbbjc7c4apibxgcol76qhzigja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3252902f96a3564966a28b2144ce24a243e9c497d9f55b8c87261226c63f322a

AgentTesla

4887639a62fab8baa56b119e5f05ec897ff95ec2b03833fc93cdc6a434f704b1

AgentTesla

569d9358801eb518b152cb73009131508a3f14b136b0eb80025ccf438865a440

AgentTesla

96827f6ab2dc0c8b0ad0c1f4bfaab1eca0e525a32c4b93e216e9d42f7c6b30be

AgentTesla

98245891a284abcccb56bb8ccd774fbcde277259432b07294d7e3e7b864c30c1

AgentTesla

a09cc41fc5c688ee8d659a26c7a50d422513b8fc6a1636ae091a1572855a5041

AgentTesla

b2b6eff8a6c60704b212b98e6eb03be8bd26e1dc3bd8b6f28774bd6a52badb6d

AgentTesla

efd9570dd83a20b4c04429b1ae5a729bf7754b513bd119172e82e13a9552e59a

AgentTesla

f892fa6757d9aab17b11c24debe91cc7ecd4591bc656f9e653dacf883a1b764f

AgentTesla

+ 3'050 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210308-89dwp8hbjj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192

MD5 hash:

5a67233262378b119e45615d439e3f7d

SHA1 hash:

6ce65f8457ee46a82e263927b866a40a2b026ba1

Link:

https://www.unpac.me/results/2b48157d-d9dc-418c-a7c8-cb25f9f744f9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample