MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f89405314d1136682a57f21b7b4e16cb23514c143b97032d7798c85711a9b63b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments 1

SHA256 hash:	f89405314d1136682a57f21b7b4e16cb23514c143b97032d7798c85711a9b63b
SHA3-384 hash:	d348b4956c9531ab3fbba323ea9cb2b6d81699c32abdb5772a3c3f5364d80be92ccc9617417b03935ba658dc76761a9a
SHA1 hash:	99fbecfd0e5348afba415bda708b3a929ab0bf77
MD5 hash:	c12b9137c5ceccee311215cbd5a8d7b2
humanhash:	harry-london-oscar-finch
File name:	c12b9137c5ceccee311215cbd5a8d7b2
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	987'136 bytes
First seen:	2021-08-17 14:07:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:MpQDc9F3nC0Py3gAh6EJbjJEKcMt9lsh6ZaU77zSA0eN+46V8O7oghAtJGCRj9st:UC26g07OF46V8IhsGoSt
Threatray	8'504 similar samples on MalwareBazaar
TLSH	T15525703C1BB82667D165D63EABD18617F04096DB3411AA5764CA0FA7B302AC2F7C723D
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO - NEW ORDER.xlsx

Verdict:

Malicious activity

Analysis date:

2021-08-17 13:39:38 UTC

Tags:

encrypted exploit CVE-2017-11882

Link:

https://app.any.run/tasks/36d16c32-3e89-486c-bc7f-ab2f87df5c2d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/180078/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/89b8a0d2-7402-4d90-8ff0-55e081cefa4f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/834447

Signature

.NET source code contains very large array initializations

.NET source code contains very large strings

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f89405314d1136682a57f21b7b4e16cb23514c143b97032d7798c85711a9b63b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-17 14:08:03 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5a5e7d1340f7f0df55e3b9bd4e32a550a7ca937e240d9a3a4e7226fdbfd7b6a1

AgentTesla

73ba539a238da72c6f7bd2a0e528db1de3fdd6a1d6217613229c017eb758d4c6

AgentTesla

76ee0580c6650d545c9541cdc5f9227779947fd8006cf7f6907dcfad9f099cee

AgentTesla

85c23641539a99ea860c03d787b65de3860e5cc2e8fadc88cbfa9bbbb94b0fbe

AgentTesla

9e28ac65b7ebe4b1dbf9fa6c94b5e5df3fd3847553877aa693a383233a289add

AgentTesla

c8d3763e6bcba6e6cd767e3198f910abd5121786fddc43160e13b86a7232c8d7

AgentTesla

dc50396c3e2dd0d0d403262453b53abebbda33b32c919bcae92922c0ecaf822e

AgentTesla

f4236b44c0b2ece0fb939f9011e3e30c400ad359432155f23afbe5a6c3e97f6b

AgentTesla

fd5743be3e9f37434b78bc715d78670eded5e3c8fa968f48c940332b0c4333c7

AgentTesla

+ 8'494 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210817-m5vnkwqfl2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument

Unpacked files

SH256 hash:

cdf8b36d1e30f5781413015738a8018123cba1b256c6e219ade398072602c0a1

MD5 hash:

553a247d4e0e87fbfb74f8df0fdcd858

SHA1 hash:

be2e030424f3979e7cab40555a139b68f9fe5ecf

Link:

https://www.unpac.me/results/e394999f-2b36-4cf5-ba1e-a91503893f68/

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/e394999f-2b36-4cf5-ba1e-a91503893f68/

SH256 hash:

3bb827f266da9f87eaea8135d90e7c3d57b67d2cc1c1609b4bf8699c0d5dc723

MD5 hash:

417b36c7fa406c468a3486479962818f

SHA1 hash:

e9e0c7c23b861cdf086fd72a31a371884deaeef9

Link:

https://www.unpac.me/results/e394999f-2b36-4cf5-ba1e-a91503893f68/

SH256 hash:

f89405314d1136682a57f21b7b4e16cb23514c143b97032d7798c85711a9b63b

MD5 hash:

c12b9137c5ceccee311215cbd5a8d7b2

SHA1 hash:

99fbecfd0e5348afba415bda708b3a929ab0bf77

Link:

https://www.unpac.me/results/e394999f-2b36-4cf5-ba1e-a91503893f68/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f89405314d11/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f89405314d1136682a57f21b7b4e16cb23514c143b97032d7798c85711a9b63b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe f89405314d1136682a57f21b7b4e16cb23514c143b97032d7798c85711a9b63b

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1541805/

Cape

https://www.capesandbox.com/analysis/180078/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-08-17 14:07:51 UTC

url : hxxp://172.245.26.190/tmt.exe