MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbaefdbb1266cd0801697b4d1d9641bfe6b0583ad4139b9f88194b13e8372db1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbaefdbb1266cd0801697b4d1d9641bfe6b0583ad4139b9f88194b13e8372db1
SHA3-384 hash: 8a0a26d6ad3d1fd17954f1303ec377ec258a10e9d8e78c7d0a7201f421196ba2f9811f6c353f2055f6c9cb84f1a4d32d
SHA1 hash: 700aba33ccb415b13fc5ee371802aede6df78bd6
MD5 hash: bc14a30706b6b0c68fcd39ee83ed077a
humanhash: ohio-comet-winter-mike
File name:PRODUCT_.BAT
Download: download sample
Signature AgentTesla
Create hunting rule
File size:872'960 bytes
First seen:2021-07-14 12:19:03 UTC
Last seen:2021-07-14 13:56:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:xKkGJM7SlrNls9XOd4+QC18Vth6ZUitXvRoWFJ6kWpe2DUM2y8DTQYp7VPBFvAZ3:xKRgth6+i/F6hz2zpBPLAZbD
Threatray 6'984 similar samples on MalwareBazaar
TLSH T180058C6C23BD6709F237FF31AFA5E6449FA666B58219DD0D2CC4024B4821D81EEA7D31
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRODUCT_.BAT
Verdict:
Malicious activity
Analysis date:
2021-07-14 12:22:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d37aa31-a0c5-452c-bb16-f92acb286691

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171648/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.2525.19369.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df24314f-d370-468b-b310-b7cfca4a8ca1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816189
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fbaefdbb1266cd0801697b4d1d9641bfe6b0583ad4139b9f88194b13e8372db1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 11:05:40 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oxp3oysm3gqqaljpngr3fsbx7tlawb22qjzxh4idffrh2bxfwyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ba21a458c54d5e18218ee2cbdba20f6130fd55ab0951db770b3882e773a8917
AgentTesla
318f320b2aad6ce2be54a45efb8cb065bc33767ce6029f952c26d96ec08076aa
AgentTesla
49bda02d360d6c5a7b5a340a72a8a32d5da1afe5e07653a781b0a3f610f8c332
AgentTesla
689e61e9ee2c53df4e450554a4b4a3fb69af884692bae7ba437de773b2aae0b4
AgentTesla
84d9088f856e12f998ce324510f185b9e6939c8d1cb2cdb46eb9b38baf879619
AgentTesla
a62281360a594e22783fb5dfc0e34645726b22df9ae0939b56a5b41e51289f97
AgentTesla
b586f0ad8c0a59dce27f0da449d5b4c7abb402a0e5d297831e73331442debb8f
AgentTesla
d47d28326953ea628f813610312145619cb7cb86e24470fd39050eeddef8dac8
AgentTesla
f2e67fd733ca7d4c22f1bda695c89d4a3f8ddb4dbfd7afb7b2ee22dcb81bce47
AgentTesla
ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d
AgentTesla
+ 6'974 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210714-jhrg3q6dv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/29412824-9fce-4b54-ab28-8935ce19d385/
SH256 hash:
e8a86e025c2aa734e66fa81eda405b2ea8a6b14935ac8aabc31651e7f25d7020
MD5 hash:
4705e17398f5062d7aaac570d10104aa
SHA1 hash:
d1e5d24d37a442296b510642526d055863a38e18
Link:
https://www.unpac.me/results/29412824-9fce-4b54-ab28-8935ce19d385/
SH256 hash:
cfd7c5ca45252c032ce1633dff58fd19e505767562eaafc29f68b635c58c1ea7
MD5 hash:
ed5b73aee1a6c81c728c57014bb7beee
SHA1 hash:
c47b264fe8e0c4292c7f473b14df5cb3a2d6d75a
Link:
https://www.unpac.me/results/29412824-9fce-4b54-ab28-8935ce19d385/
SH256 hash:
b3d9e4cd24d2d6cb9278a47d4e9b394b63831652e6f2a8d5422d35d91049441b
MD5 hash:
833fa0925d9d4395786e3b41ce7d5fed
SHA1 hash:
89757b659ebf8b4088fa4cc145f2a0922a7abbd9
Link:
https://www.unpac.me/results/29412824-9fce-4b54-ab28-8935ce19d385/
SH256 hash:
fbaefdbb1266cd0801697b4d1d9641bfe6b0583ad4139b9f88194b13e8372db1
MD5 hash:
bc14a30706b6b0c68fcd39ee83ed077a
SHA1 hash:
700aba33ccb415b13fc5ee371802aede6df78bd6
Link:
https://www.unpac.me/results/29412824-9fce-4b54-ab28-8935ce19d385/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbaefdbb1266cd0801697b4d1d9641bfe6b0583ad4139b9f88194b13e8372db1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171648/

Comments