MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f684f3065013459e4b2f23b77ca621d61690b13d016c7a9146d8111ed1cf0eb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f684f3065013459e4b2f23b77ca621d61690b13d016c7a9146d8111ed1cf0eb1
SHA3-384 hash: 3e1171cd037ce4121c92a1a4c912d6bafc59ef8af761a6f512f5ea948cbaa240944955253a6fa690dabadd7fca3a738f
SHA1 hash: 2ef9aa9be30282a264fca77c52dbc0f77eb09a0f
MD5 hash: 9cde4342c81458316e29ccbda9b5a8e6
humanhash: carbon-texas-mirror-december
File name:9cde4342c81458316e29ccbda9b5a8e6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'777'536 bytes
First seen:2021-05-28 19:10:51 UTC
Last seen:2021-05-28 19:52:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:MnLGH0oPWsQPNIF2wMxBH1R1Cr8h68EyWgloa1muQtN5Cc/5wMhb93IuWl5FeQ1g:YWQ6F2Jf6
Threatray 5'382 similar samples on MalwareBazaar
TLSH 1806A061613E7AAC32BF05610A4CE6168F37E4E1C9B2D36EA35C229D2F44F221D1DB57
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order-confirmation.doc__.rtf
Verdict:
Malicious activity
Analysis date:
2021-05-27 20:17:41 UTC
Tags:
exploit CVE-2017-11882
Link:
https://app.any.run/tasks/54f557a8-0bac-4102-9839-9e410f204903

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163040/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.772.14358.16545.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a window
Sending a UDP request
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794036
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426435 Sample: 9ql1Gg6I6L.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 Sigma detected: Powershell adding suspicious path to exclusion list 2->72 74 9 other signatures 2->74 8 9ql1Gg6I6L.exe 5 9 2->8         started        12 svchost.exe 2->12         started        14 69vdz0d62eh81022f8deT58t2dmA2mdw7IdFa8a78d.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 58 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->58 dropped 60 69vdz0d62eh81022f8...A2mdw7IdFa8a78d.exe, PE32 8->60 dropped 62 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->62 dropped 64 2 other malicious files 8->64 dropped 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->82 84 Drops PE files to the startup folder 8->84 86 Creates an autostart registry key pointing to binary in C:\Windows 8->86 98 2 other signatures 8->98 19 69vdz0d62eh81022f8deT58t2dmA2mdw7IdFa8a78d.exe 3 8->19         started        22 powershell.exe 8->22         started        24 powershell.exe 8 8->24         started        30 6 other processes 8->30 88 Multi AV Scanner detection for dropped file 12->88 90 Machine Learning detection for dropped file 12->90 92 Tries to delay execution (extensive OutputDebugStringW loop) 12->92 94 Adds a directory exclusion to Windows Defender 14->94 26 powershell.exe 14->26         started        28 powershell.exe 14->28         started        66 127.0.0.1 unknown unknown 16->66 96 Changes security center settings (notifications, updates, antivirus, firewall) 16->96 file5 signatures6 process7 signatures8 76 Adds a directory exclusion to Windows Defender 19->76 78 Injects a PE file into a foreign processes 19->78 32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        36 powershell.exe 19->36         started        38 powershell.exe 19->38         started        80 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->80 40 conhost.exe 22->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 5 other processes 30->48 process9 process10 50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 conhost.exe 38->56         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f684f3065013459e4b2f23b77ca621d61690b13d016c7a9146d8111ed1cf0eb1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-28 09:55:21 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=62cpgbsqcncz4szpeo3xzjrb2yljbmj5afwhvekg3air5uopb2yq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
080564abb60c8466695e044519ddce8d480176127b917bb994193165dbac25be
AgentTesla
10c5df44b26355f12a62e1243923e9156150f7c86c0ee0f0b25555fae9fca5bd
AgentTesla
1609456bfa0aef6837c118fe23e5d57fc5500f750907d6c0b3ae50dd36161125
AgentTesla
354e15eaddffc7d653f304af3eee050b968f8705609a03ada9b459bcd71c6619
AgentTesla
812e3a714bab007330415791cb76653b1488217fb1d22406244990e98879fe8e
AgentTesla
89f7219c6aed63932df5feb7a41fb92f3ef7ef2885b9508a612d59644792ccb1
AgentTesla
9d672970cf9e1807fd0ef155b412adaa26512957ce81b234418bff69d44e925f
AgentTesla
cb5ccacedc87594dcd227587381680271299317641010bd8b5dc285c3075c62f
AgentTesla
d5e33330a0fccc0bec46f1d928cfe64fa838a8fa50b60a8913bbd20c89469f06
AgentTesla
f52821632c06371b47555998f4c20ac910cddffdf60fda190fc07d6c2ee7acbf
AgentTesla
+ 5'372 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210528-q3bct1565n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Windows security modification
Executes dropped EXE
AgentTesla Payload
AgentTesla
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
https://api.telegram.org/bot1870790471:AAFpD5zuAlCeqAqJnBFTcvC5WkaPoWtoQ9c/sendDocument
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f684f3065013459e4b2f23b77ca621d61690b13d016c7a9146d8111ed1cf0eb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f684f3065013459e4b2f23b77ca621d61690b13d016c7a9146d8111ed1cf0eb1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1294106/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/163040/

Comments