MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe4126564a824b6606937b8fe4a39478da1857e5a38ab9b232c52a9e922b467f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe4126564a824b6606937b8fe4a39478da1857e5a38ab9b232c52a9e922b467f
SHA3-384 hash: 5ab3a5463ffb34cc3cec19300aff2220de26f5b4fdb8b9a89b595e1e9f0a2a8ac2f7bca5998febc38e6931c61e2691af
SHA1 hash: 0a2c01b785d9bcaec305922f8f99b8ae7721e7eb
MD5 hash: b2a06b4fb1811354110a6ff29195744f
humanhash: colorado-skylark-gee-seventeen
File name:razi.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:954'880 bytes
First seen:2021-08-25 15:21:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:tZeZc8QKJoNrYNIun8E7NXjm4K2XgskvTGWU54M1TdJCiLKD/eIJJJvzV7DssOyx:tZYRR6FM
Threatray 8'914 similar samples on MalwareBazaar
TLSH T16C15068DAC9C51CCE02D97D01B7286D4639ED6FF28463536B06DF2722D5BA29DFA3804
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
razi.exe
Verdict:
Malicious activity
Analysis date:
2021-08-25 15:23:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/25fa747e-c98d-4eaa-a3e0-66c237d9c3af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182349/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b0e5cab-a778-4f73-8f2c-f1756e9749b6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839186
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471613 Sample: razi.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 Machine Learning detection for sample 2->51 6 razi.exe 1 2->6         started        10 NLKBQYR.exe 1 2->10         started        12 NLKBQYR.exe 2->12         started        process3 file4 31 C:\Users\user\AppData\Local\...\razi.exe.log, ASCII 6->31 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->55 57 Injects a PE file into a foreign processes 6->57 14 razi.exe 2 5 6->14         started        19 razi.exe 6->19         started        21 razi.exe 6->21         started        59 Multi AV Scanner detection for dropped file 10->59 61 Machine Learning detection for dropped file 10->61 23 NLKBQYR.exe 2 10->23         started        25 NLKBQYR.exe 10->25         started        27 NLKBQYR.exe 2 12->27         started        29 NLKBQYR.exe 12->29         started        signatures5 process6 dnsIp7 37 us2.smtp.mailhostbox.com 208.91.199.223, 49733, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->37 33 C:\Users\user\AppData\Roaming\...33LKBQYR.exe, PE32 14->33 dropped 35 C:\Users\user\...35LKBQYR.exe:Zone.Identifier, ASCII 14->35 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file access) 14->41 43 Tries to harvest and steal ftp login credentials 14->43 45 3 other signatures 14->45 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe4126564a824b6606937b8fe4a39478da1857e5a38ab9b232c52a9e922b467f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 15:20:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zasmvskqjfwmbutpoh6ji4updnbqv7fuofltmrsyuvj5erliz7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
30b158a268121de18c54cff5537cc764ed771dc686f6de731ff823e4430f68b2
AgentTesla
597c4e531fe021e566c1040cf0a66fd4104c273cbdad24585ca4a89bba5a1c25
AgentTesla
6fa6547ef5a7c0392647c4dc9538818fe0c18b2e209cf297a26059249aa3c7d9
AgentTesla
7f100848ffb6fdc1e6747787b3fa3669a5fd4d7faa87d5b56c8d5470ab399d95
AgentTesla
a8f660af5a534e485b3921fbf08308b423e21e24006c0d479673afa93f0e0a67
AgentTesla
ad5e28f8cce65652f4f60d135b6006d0e1cccfa632f7ada11f60c6d4f7a4a18b
AgentTesla
b69c6670b90d4fd6f6100614e54fe4a357fd6e8cab84c9428e0d1d8715243ff7
AgentTesla
+ 8'904 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210825-3mfsrjnsqs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
84634ba8e77ff27a5f721f3089f90ce21053fc216734a333d0d2bbba38a0ff9e
MD5 hash:
ca3fccd6980b3b1208804e21cd81d5e8
SHA1 hash:
cc4b2f55e39a2d263286d17e241de8ffc1f797dd
Link:
https://www.unpac.me/results/2ec514cf-97a6-4774-acd9-0fd0918f7984/
SH256 hash:
b636df375819467df4351b5ea1e2a7f4196c259a7abd84e11b011d00c8366e3f
MD5 hash:
da58ed40ebce17d7f28b05d142092560
SHA1 hash:
b80c4132aa8b5cbe019b016fb33b72ab4ae96eba
Link:
https://www.unpac.me/results/2ec514cf-97a6-4774-acd9-0fd0918f7984/
SH256 hash:
fe4126564a824b6606937b8fe4a39478da1857e5a38ab9b232c52a9e922b467f
MD5 hash:
b2a06b4fb1811354110a6ff29195744f
SHA1 hash:
0a2c01b785d9bcaec305922f8f99b8ae7721e7eb
Link:
https://www.unpac.me/results/2ec514cf-97a6-4774-acd9-0fd0918f7984/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fe4126564a82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe4126564a824b6606937b8fe4a39478da1857e5a38ab9b232c52a9e922b467f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/182349/
  
URLhaus
https://urlhaus.abuse.ch/url/1563796/

Comments