MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe0f394e06eecf0854560d2cfc1a07bce9f56851e95e9fcb33ebdc7ed7c89b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe0f394e06eecf0854560d2cfc1a07bce9f56851e95e9fcb33ebdc7ed7c89b0d
SHA3-384 hash: 0a4585609daf909fe75ae3655d62352fc49c3729d80615facecdf35ff6cb7ec3a27b0422947eb682ae5404d49fd3f774
SHA1 hash: 77d42015b5b0ef713de9e90719105d5170530363
MD5 hash: d11169998cc347a644bb886cec7d5fc6
humanhash: oven-low-single-whiskey
File name:d11169998cc347a644bb886cec7d5fc6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:441'856 bytes
First seen:2021-09-19 15:03:07 UTC
Last seen:2021-09-19 16:11:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:YmdhOkOJfxblG/dbvPRJqvgN9tGQiygL8zx:Y4if8lzrqwtFXN
Threatray 9'981 similar samples on MalwareBazaar
TLSH T1EC94121116FCD356D0794BF0E20024449776B3677B21EA8C8FC6B5CD0AFABA94964EB3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
nl-s1.dedicatedpanel.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d11169998cc347a644bb886cec7d5fc6.exe
Verdict:
Malicious activity
Analysis date:
2021-09-19 15:05:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f045f287-81a4-42cb-b62c-96853be22091

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189079/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Agensla.ic.19355.18020.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/933f6efc-1a1e-431f-b0b1-bae29f66c2a7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853524
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485955 Sample: fSvNgf9R1b.exe Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AgentTesla 2->50 52 6 other signatures 2->52 7 fSvNgf9R1b.exe 4 2->7         started        11 AFSsp.exe 4 2->11         started        13 AFSsp.exe 2 2->13         started        process3 file4 34 C:\Users\user\AppData\...\fSvNgf9R1b.exe.log, ASCII 7->34 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->56 58 Adds a directory exclusion to Windows Defender 7->58 60 Injects a PE file into a foreign processes 7->60 15 fSvNgf9R1b.exe 2 5 7->15         started        20 powershell.exe 23 7->20         started        62 Machine Learning detection for dropped file 11->62 22 powershell.exe 11->22         started        24 AFSsp.exe 11->24         started        signatures5 process6 dnsIp7 36 nl-s1.dedicatedpanel.net 217.195.152.2, 49779, 587 SHOCK-1US Netherlands 15->36 30 C:\Users\user\AppData\Roaming\...\AFSsp.exe, PE32 15->30 dropped 32 C:\Users\user\...\AFSsp.exe:Zone.Identifier, ASCII 15->32 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Moves itself to temp directory 15->40 42 Tries to steal Mail credentials (via file access) 15->42 44 3 other signatures 15->44 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe0f394e06eecf0854560d2cfc1a07bce9f56851e95e9fcb33ebdc7ed7c89b0d/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 15:04:15 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yhtstqg53hqqvcwbuwpygqhxtu7k2cr5fpj7szt5poh5v6itmgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408
AgentTesla
6f47301c8691d7f68ccf71931b8e2664fad0720d1f4d01f4bfda35cd1a076bd1
AgentTesla
865be6910571e1334ef42b0396a44f76c45ad6048132da31f5599fe2dcfa2081
AgentTesla
8fcfe841647c5f4d3f10b59fa63b2e2dff841b4c5c39cbfa828146281e49ad77
AgentTesla
a08a2ea7f574259a68c3cc7d0ff2c1f46e9a57e9802cf5fc41803787564451e8
AgentTesla
acc4f3dec5d471c28db29b9e7877fa419d157ebaa44b51039fbae33d6e33ca02
AgentTesla
c05e310c646407fa733712a98c822a5416ca1124322429d8d2a90966e909a6b5
AgentTesla
c604aca88130354a1cf9209f45898fc867ea3f178d36de173a36db383eb5e42e
AgentTesla
c688354e137fcaca21a335e36a8bd8d72862cda728a5bb69c08350d499e9c9c5
AgentTesla
e4649c6b74b9494074c6020ba5e73d1253ed1929146135f4e9dbc48da6ace470
AgentTesla
+ 9'971 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210919-sfkx3segdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
089bae9bf4e044e7786d93658b1c621b012a611602866a492f3ec00c3fba713b
MD5 hash:
105c7e3aad2b118f0bd14a3497bb99da
SHA1 hash:
f306033f97a33336ca830c63e11c3f2e0a265d0f
Link:
https://www.unpac.me/results/10fa7a15-303e-4f71-9c9a-366a279603e8/
SH256 hash:
563dc902519dc430db1828d8c06a102850557232c5e1ee6c3d392d852c9d5aa3
MD5 hash:
0898928001a1b4a3233a09b98620afd8
SHA1 hash:
ba2a21cb3bfba5a9e05950db83c848b7cf003f30
Link:
https://www.unpac.me/results/10fa7a15-303e-4f71-9c9a-366a279603e8/
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/10fa7a15-303e-4f71-9c9a-366a279603e8/
SH256 hash:
fe0f394e06eecf0854560d2cfc1a07bce9f56851e95e9fcb33ebdc7ed7c89b0d
MD5 hash:
d11169998cc347a644bb886cec7d5fc6
SHA1 hash:
77d42015b5b0ef713de9e90719105d5170530363
Link:
https://www.unpac.me/results/10fa7a15-303e-4f71-9c9a-366a279603e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe0f394e06eecf0854560d2cfc1a07bce9f56851e95e9fcb33ebdc7ed7c89b0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe fe0f394e06eecf0854560d2cfc1a07bce9f56851e95e9fcb33ebdc7ed7c89b0d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1628338/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189079/

Comments