MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb263756d4181bd3dbf028d68ee1c342c1f6699a02727d49b1bfd09a663b5804. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb263756d4181bd3dbf028d68ee1c342c1f6699a02727d49b1bfd09a663b5804
SHA3-384 hash: fe8be21bde6b5ef3bddde2d37d4eb0e6252895ea33c87a5d3c300b557087ddfaa493068a8e5feb0b4e9eb7f8818e905a
SHA1 hash: b3090ce3efc5b75f6eaa2273ad1a920e7b4d8e4b
MD5 hash: 806f2bb2a89f7e9e52f1e1868e12f177
humanhash: red-eight-magnesium-finch
File name:DE94094884.COM
Download: download sample
Signature AgentTesla
Create hunting rule
File size:893'440 bytes
First seen:2021-09-20 22:11:53 UTC
Last seen:2021-09-20 22:49:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:gA6qFuhA4mdvpvNt0qG113yDj4ZA+FooObl:yqFuhAzdvpltf0G6o1
Threatray 10'077 similar samples on MalwareBazaar
TLSH T1CC15D02022A4C26AE1FBF77CC4729471873EFA86A426D95E5DC3D8DA0D25341C51BF2B
File icon (PE):PE icon
dhash icon a6591878d162e41b (9 x AgentTesla, 7 x Formbook, 2 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DE94094884.COM
Verdict:
Malicious activity
Analysis date:
2021-09-20 22:13:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb9ded4f-a98b-4430-b2f7-ddc9140d7cf8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189614/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.13829.2980.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the shell\open\command registry branches
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6e7730b-2c4a-4bee-923d-25c47b73588b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854471
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fb263756d4181bd3dbf028d68ee1c342c1f6699a02727d49b1bfd09a663b5804/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 08:16:57 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mtdovwudan5hw7qfdli5yodila7m2m2ajzh2snrx7ijuzr3laca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ce0a82bef3a8852e9cd21fa303880fe34243a8bf8940384a8303da6b4677a2c
AgentTesla
43f6edcd253f873d92084360b73166040790c8bf7ca9ea125a736b67cb5f3d58
AgentTesla
64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6
AgentTesla
6cda0c998a3484125f71a4c086e2652a72c977d90ff4e187a5dae1d62239f31e
AgentTesla
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
AgentTesla
7cd6d59439d525ccf002e777f2118121cd494a5a6d5de8710298344beaeb6c72
AgentTesla
7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325
AgentTesla
865c3d355eaf051241f621f24a13dda3e8500d28a7c3c8eaa779df1b90da1ccc
AgentTesla
ae33000cbdc7cc10a8d86ce07727c8159d66a6707e2a453d996dc61c709de96f
AgentTesla
de80a1b1bc2f591fa7c7bb8cebbf8532543ee7dbb754dde9a2e698ead4b20b4b
AgentTesla
+ 10'067 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210920-14g54aacal/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
a71558bcf8fc8e815f3ee4bfccce5337a90b9f23327096a62999258a9dda5c0c
MD5 hash:
dc8fdd59745f08d0dd0ff87694ca4a50
SHA1 hash:
faf6ba0bb5fc90eec39170a5936941bb52712431
Link:
https://www.unpac.me/results/b9c407c8-0fa0-4a1a-9fdd-f3c76be5c695/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/b9c407c8-0fa0-4a1a-9fdd-f3c76be5c695/
SH256 hash:
c3d1349e29aebb3394dfa5e310b145407b72fd7da0cfbfc1880abd1a337dc925
MD5 hash:
02d89af374436bf6c09abbafcf5afe9d
SHA1 hash:
97b5556f1cb0cd59af59600dc7ab92d05be42216
Link:
https://www.unpac.me/results/b9c407c8-0fa0-4a1a-9fdd-f3c76be5c695/
SH256 hash:
5f82be2856579cb575c0fb1988022540b426481b6106bdabd8fcdfd59de3e87d
MD5 hash:
d45fc747e84af19eba37e85ac41fb6e2
SHA1 hash:
26d057e8669626aa96914cb8cef860bdeab99958
Link:
https://www.unpac.me/results/b9c407c8-0fa0-4a1a-9fdd-f3c76be5c695/
SH256 hash:
fb263756d4181bd3dbf028d68ee1c342c1f6699a02727d49b1bfd09a663b5804
MD5 hash:
806f2bb2a89f7e9e52f1e1868e12f177
SHA1 hash:
b3090ce3efc5b75f6eaa2273ad1a920e7b4d8e4b
Link:
https://www.unpac.me/results/b9c407c8-0fa0-4a1a-9fdd-f3c76be5c695/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb263756d4181bd3dbf028d68ee1c342c1f6699a02727d49b1bfd09a663b5804

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fb263756d4181bd3dbf028d68ee1c342c1f6699a02727d49b1bfd09a663b5804

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189614/

Comments