MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f86da0984972a912636cd654ce3650c36b600e2b69ed6276b5b898519bec6f48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f86da0984972a912636cd654ce3650c36b600e2b69ed6276b5b898519bec6f48
SHA3-384 hash: 549bd8ac7218b61d550f35224f6118c73bcf673013482a29a5d6451ce0f38b6010ac14428fc895bbe93abeab9fc4d514
SHA1 hash: d02a47290ebe02907dccd36622f787a833747a84
MD5 hash: bac924457653072c31e7a12800642813
humanhash: crazy-undress-sad-mountain
File name:DTkJDjKTMtJ53Wf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'114'624 bytes
First seen:2021-03-29 05:36:41 UTC
Last seen:2021-03-29 05:39:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:vQzAzaz+5RhRtdaPjEhzg/GRDl55UCKwCs8cdcfU7YhTf742g09A9s0CRSel2ELl:HzAE6gZNKwCs8oKU7k4+iCRvlnB
Threatray 3'526 similar samples on MalwareBazaar
TLSH 8A35289C2E49C8EBD2BD0A7842CD96C942E98AF32F21DC78BDC047D7D1A07C5E7125A5
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DTkJDjKTMtJ53Wf.exe
Verdict:
No threats detected
Analysis date:
2021-03-29 05:39:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/51d5e867-afc9-4d9b-a087-d4583e42a82a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127442/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74aa4e9e-4ff8-45c8-963a-1c8e2cd1b206
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656402
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f86da0984972a912636cd654ce3650c36b600e2b69ed6276b5b898519bec6f48/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 22:49:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bw2bgcjokurey3m2zkm4nsqynvwadrlnhwwe5vvxcmfdg7mn5ea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b1fbc81d9d9e685307e80d20afe4b01c6538b903b77136b0d1db2486fe8c6e8
AgentTesla
170795ec686868d73079d1bf31efc776c8bedcb5407ad16b930a42372a2ab7c6
AgentTesla
29e43219dc1b9239dab0ec49bc6e8c5d8790e4b049818f3abe6cf26bf3538e85
AgentTesla
65c7e02ba4d05c0009b9c62be9127e472876a9ed70f86702e144f89f20e78b4b
AgentTesla
80696b82979f9ef0936df9b0406561d491778061ce19469508097dd6b21d9bd7
AgentTesla
adbfaef61c436d79f0ab2c890570f73ae979609feafd21d9932e86641aac05dd
AgentTesla
bc58f1f37527b2256089b3fedbf5044ad396b267a762ca7e7f6fa7c81f76259b
AgentTesla
d114ed04fed2c6a8df9fd9928029c0ea86fa55186ab35bb78006d637daf6cca2
AgentTesla
ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
AgentTesla
fef7f9c7aa577ed9db39ea4da675ee8cc1c66bd6bb48ae2dca6093092e71ffbf
AgentTesla
+ 3'516 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210329-m8yt613ptn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/36da5d9e-52a0-4dae-a27c-b77cf3b7097f/
SH256 hash:
f86da0984972a912636cd654ce3650c36b600e2b69ed6276b5b898519bec6f48
MD5 hash:
bac924457653072c31e7a12800642813
SHA1 hash:
d02a47290ebe02907dccd36622f787a833747a84
Link:
https://www.unpac.me/results/36da5d9e-52a0-4dae-a27c-b77cf3b7097f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f86da0984972a912636cd654ce3650c36b600e2b69ed6276b5b898519bec6f48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar e4c37c77632e0ac493520a7c4dc3f56cd22a5b40e51f890643544f1044803c10

AgentTesla

Executable exe f86da0984972a912636cd654ce3650c36b600e2b69ed6276b5b898519bec6f48

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e4c37c77632e0ac493520a7c4dc3f56cd22a5b40e51f890643544f1044803c10
Cape
Cape
https://www.capesandbox.com/analysis/127442/

Comments