MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa2a3d2d878502749a5c8b01a6244a8b9e2b7f0cb3b9d0d85cadc2a8dcb5a8dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa2a3d2d878502749a5c8b01a6244a8b9e2b7f0cb3b9d0d85cadc2a8dcb5a8dc
SHA3-384 hash: 2492caea084039e01a53736b34d51b4854a71b8757ee726e181bd06f4f18c505daa562dd5c80e3d78636cea8ca1848c7
SHA1 hash: ccb7c76b70c18f09694eb7643b17512701bf7ac9
MD5 hash: 3cc22a1ec55d679078a0420d0aa35f69
humanhash: purple-avocado-shade-massachusetts
File name:3cc22a1ec55d679078a0420d0aa35f69
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'042'307 bytes
First seen:2021-06-24 12:08:38 UTC
Last seen:2021-06-24 12:53:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 30220073278a14640d884438f7a8ce89 (1 x AgentTesla)
ssdeep 12288:dQtglygKLHn/DYCb3h6ljg42TgIuxObzc9VZ4dpMLZ5GL88Eew8x5:dQtKygoHv7h2E42TgH4dpozGLaewG5
Threatray 6'801 similar samples on MalwareBazaar
TLSH C5256D13BE852405D6275CB075E6F9790B319C0A68089E07BB98FD8838FB54265E7F2F
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3cc22a1ec55d679078a0420d0aa35f69
Verdict:
Malicious activity
Analysis date:
2021-06-24 12:09:38 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/27a6b555-41b3-44e9-851d-b771d75c3fdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168012/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.12720.24178.14512.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9160db30-7917-48ee-bd87-ffb845ed3ba1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807442
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa2a3d2d878502749a5c8b01a6244a8b9e2b7f0cb3b9d0d85cadc2a8dcb5a8dc/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 07:38:02 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ivd2lmhqubhjgs4rma2mjckropcw7ymwo45bwc4vxbkrxfvvdoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3ee4e620dd7cb6d8a6f604e5653a4f5cbf1258032ffc7d13ae9a415c672a5713
AgentTesla
4f6160e4c934ebea2ec7628b06c97b7995d0b4378f817adfadb15c90c3edb202
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
7c34d3a45ef7f41c4b5d5555a1fb7fafae2ee86dbb08b61f7743ffcb80e70690
AgentTesla
8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90
AgentTesla
b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb
AgentTesla
c72d7d37bfc58d17a038a2081596013821cdd3838936fe93f32c559774a2b550
AgentTesla
e860f949006657d88539f009376c3b6ed3947e81ddd1dcc2253f0c27b1945806
AgentTesla
fa84a0c29e5aa8ba804e8cdfaec78f1f642b7de25d89c02ff03a7a75588b4663
AgentTesla
fc166af65772a1d1402c921cd81c5711d1e49abdd78e08ecf546626974d57314
AgentTesla
+ 6'791 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210624-sbkg3g97ns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
6545b899d4aa4dfd5db47722a28ec736e2fa6d87c59b96b27f732edded2f8f8c
MD5 hash:
21356acef596d36d3e0a89be180e5f00
SHA1 hash:
c401ca6da7d115d746d7c0754efac7271026a2ce
Link:
https://www.unpac.me/results/bea2258d-deab-4721-8415-31ca4e6246e1/
SH256 hash:
fa2a3d2d878502749a5c8b01a6244a8b9e2b7f0cb3b9d0d85cadc2a8dcb5a8dc
MD5 hash:
3cc22a1ec55d679078a0420d0aa35f69
SHA1 hash:
ccb7c76b70c18f09694eb7643b17512701bf7ac9
Link:
https://www.unpac.me/results/bea2258d-deab-4721-8415-31ca4e6246e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa2a3d2d878502749a5c8b01a6244a8b9e2b7f0cb3b9d0d85cadc2a8dcb5a8dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe fa2a3d2d878502749a5c8b01a6244a8b9e2b7f0cb3b9d0d85cadc2a8dcb5a8dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394566/
Cape
Cape
https://www.capesandbox.com/analysis/168012/

Comments