MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9224cfac346b76e9451cfafe69c95015e4ca3bf55736567cc633405437c4efb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	f9224cfac346b76e9451cfafe69c95015e4ca3bf55736567cc633405437c4efb
SHA3-384 hash:	29bd5e59a2950c0d1d8caf15bbaba1a3d719ba1f254df507145cdc1c5b099aee9b4e11d9c9237bff26b75aef7e62101c
SHA1 hash:	2f36861b2169cc31a4284f30d0fc57a648630c3a
MD5 hash:	e73155a665df78a9574f8bc73f1c0b11
humanhash:	delaware-football-colorado-berlin
File name:	ONLCP2018485.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	722'944 bytes
First seen:	2021-02-16 20:27:40 UTC
Last seen:	2021-02-18 05:25:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:z3GT3Jxiw7KpiqAB0ixiidvdHc1zp5/FwMBIP7NITNqOQuEUb1byR0e5z+hfcYvK:z3GT3Jxiw7KpiqAB0iwWwrSMY7GTNqhp
Threatray	2'672 similar samples on MalwareBazaar
TLSH	4FF4028233BD5F56E5BA13F2AE35240043FA7D7A2621E2199DD121CB18A3F108F56F97
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/117447/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42845.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/609499

Signature

.NET source code contains very large array initializations

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f9224cfac346b76e9451cfafe69c95015e4ca3bf55736567cc633405437c4efb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-16 10:04:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7erez6wdi23w5fcrz6x6nhevafpezi57kvzwkz6mmm2akq34j35q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1ef805d037a3e6d5667c5f09316d85231d217c452c0759fd16ccd34f75e3c22c

AgentTesla

5d9938c5f5b37b02eba6c35969a6e8a9b58f63c38e0381e267bb1809dec2ba23

AgentTesla

a44811258fb1eb694a7c2b561b2c993df6492960be2ce4d749bfe5a172626e27

AgentTesla

a74793a39fe6c942643ceb7ec5640d92890dd34b49244582113b3161863c3409

AgentTesla

adcac50d0023e4f7103f3870fe9fc1ef9873904fcb1d7765b4ac589c0d12d47f

AgentTesla

b996aa93cfd2549ee1548a4940194b421808975059805614ef9b40bb5e75c8d1

AgentTesla

ca16f25705d39c0a16f656c7d585d08884bdad3b2604850a52daf4040c8663c6

AgentTesla

d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e

AgentTesla

fdf3aa0df3a0d4a6d053c55b970ad22f71f5db88f2da4f94bc18f1926b731f1b

AgentTesla

+ 2'662 additional samples on MalwareBazaar

Unpacked files

SH256 hash:

2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788

MD5 hash:

987ce346069cf47535e5ac57265c7228

SHA1 hash:

d0085325ed78fcac6d1f605753237abd1c40db22

Link:

https://www.unpac.me/results/74b38bcc-c653-400b-b28a-276dc31d1499/

SH256 hash:

652ecad43bbbdad780be9b70601540fc709e5f233463e34be5bba9b03a96782b

MD5 hash:

d82f7ce8be3ec3a80a18c366a5e24bb4

SHA1 hash:

a1e7cdc0867058ed624bbd14e31ef35af99f3af5

Link:

https://www.unpac.me/results/74b38bcc-c653-400b-b28a-276dc31d1499/

SH256 hash:

06d6884d6237534d852e53185acd400896ee107e4665026067e1c39b5c93d8af

MD5 hash:

bfdcd8f1a406046299c6dab61f1f18be

SHA1 hash:

1ada4d695e7531e3a54f101d6ae08b63f59d278a

Link:

https://www.unpac.me/results/74b38bcc-c653-400b-b28a-276dc31d1499/

SH256 hash:

f9224cfac346b76e9451cfafe69c95015e4ca3bf55736567cc633405437c4efb

MD5 hash:

e73155a665df78a9574f8bc73f1c0b11

SHA1 hash:

2f36861b2169cc31a4284f30d0fc57a648630c3a

Link:

https://www.unpac.me/results/74b38bcc-c653-400b-b28a-276dc31d1499/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/f9224cfac346b76e9451cfafe69c95015e4ca3bf55736567cc633405437c4efb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/117447/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample