MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f81715bee5d3ce9881b8fbaaa61ba64d67c54758f9b3e0f7c2e26ba24b3d51da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f81715bee5d3ce9881b8fbaaa61ba64d67c54758f9b3e0f7c2e26ba24b3d51da
SHA3-384 hash: 200edd3ba5abe399f966e1424cbbb2751c4dc476005ec8c0d8b43cbb86ecc9647c4f4193a4f2368f74d5a02d25cf84f1
SHA1 hash: 966c1a722895296b2ad47dadd06f756739d3da87
MD5 hash: 9d2e6f99e526c83023317bd4899ec17c
humanhash: ceiling-emma-timing-berlin
File name:SOA_01042021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:670'208 bytes
First seen:2021-04-01 15:53:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8LnkOhT0RXiFqukzKtj4BhiL26HU12BpXoOoXWBRE1BKSguo2iN7:ekOhgRXiFqxutj4BhK260kB8Xs2fgb1p
Threatray 3'642 similar samples on MalwareBazaar
TLSH 9EE402F02D90DBE4DA289BFB5549204517B9F7E62043DF9CA888F8F5259AF4C1EC0687
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d2e6f99e526c83023317bd4899ec17c.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 02:58:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6cfdd426-f4e6-4f90-9b1f-58e85ce10949

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/131356/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.601-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/663310
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f81715bee5d3ce9881b8fbaaa61ba64d67c54758f9b3e0f7c2e26ba24b3d51da/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 03:37:17 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7alrlpxf2phjrany7ovkmg5gjvt4kr2y7gz6b56c4jv2esz5khna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
230c735113b353cfb84136e474e2a4c6bfe21af92e84fc16397b84496b050676
AgentTesla
5159183c50d03b79bf325655cefff8b847ffbb4b1d1f1f8228e4dc1dfe7eec8e
AgentTesla
66376232e1661b6b29da25ec440d8913932606bcf6a8cc54d83b0fc126e68d11
AgentTesla
6b3ce5f1f7fc6d51fa9b82e32c56521facef5c1ca004fd65bffed44a23663982
AgentTesla
909fbce815ea71ef959b37bb5dc6c18eaea743019b66fae2af196473cffb17b1
AgentTesla
d55db473f710a56ae42084ae5382d3a237a2fdcfe049877f38ed58518b75c863
AgentTesla
d96879b03c94cdf3e91756c0454825de2920b90cc7ffe73272692d572b930950
AgentTesla
de63a44a558761ac51c3415f0b2f0b37d7c440aac7935063b4a789b89bc6cd5c
AgentTesla
ec31b3a03a2a8cba4a4fe8b5319c134fcace80b1b9bbdf8798d52ed0277cef9a
AgentTesla
f1b5c3f7c1ee438590757e114f1c379f6c3d5fc7b349cad583976106737beb61
AgentTesla
+ 3'632 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210401-s7hn3kp7fj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a380482df3aca2aa5d258efa48bb8615191077f34119e214d36f37e35665a178
MD5 hash:
175498f61984ff91a89300205e48ae9a
SHA1 hash:
da71cb8fe8be871fab2abf3b195a243906961bf0
Link:
https://www.unpac.me/results/43e8af6d-241e-460c-9698-87d24a152b11/
SH256 hash:
abdbd8dbf1b8d066fa49f0a166721ca389c0cb1d6d3e86f3427c97502342a792
MD5 hash:
991fa63e8c71c29f0322df369ae72191
SHA1 hash:
65b5264782d8d3ac1a2cdd290319c104954b5fb9
Link:
https://www.unpac.me/results/43e8af6d-241e-460c-9698-87d24a152b11/
SH256 hash:
5d7ff8bc02004bf4834e35419cbefb1c031e82c362ff92f2c05d7db59e193090
MD5 hash:
b78cf00ac9ea6c6bbd758bf78a828833
SHA1 hash:
1de53ac8a11c7c181d5231ff819fa18e55e0ad60
Link:
https://www.unpac.me/results/43e8af6d-241e-460c-9698-87d24a152b11/
SH256 hash:
f81715bee5d3ce9881b8fbaaa61ba64d67c54758f9b3e0f7c2e26ba24b3d51da
MD5 hash:
9d2e6f99e526c83023317bd4899ec17c
SHA1 hash:
966c1a722895296b2ad47dadd06f756739d3da87
Link:
https://www.unpac.me/results/43e8af6d-241e-460c-9698-87d24a152b11/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f81715bee5d3ce9881b8fbaaa61ba64d67c54758f9b3e0f7c2e26ba24b3d51da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0ec8177450ccf161683c45548873e33053c500a17cd911a82b7a8f29ce7ccc02

AgentTesla

Executable exe f81715bee5d3ce9881b8fbaaa61ba64d67c54758f9b3e0f7c2e26ba24b3d51da

(this sample)

  
Dropped by
MD5 636ef73b34fc31643b15e42550917540
  
Dropped by
SHA256 0ec8177450ccf161683c45548873e33053c500a17cd911a82b7a8f29ce7ccc02
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/131356/

Comments