MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 9 File information Comments

SHA256 hash:	fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb
SHA3-384 hash:	eb3646767995ad6cc94c44c653421e36fd46d3e49599c09bc4fe24ba630a0cf807944057904f05e3b50691c6ae3e9779
SHA1 hash:	f844e6d565e5bafadb1810d0342c5a1d23fe787d
MD5 hash:	3387b55417833dc977527819b4caceea
humanhash:	kansas-foxtrot-virginia-mobile
File name:	3387b55417833dc977527819b4caceea
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	659'456 bytes
First seen:	2020-11-17 11:38:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:qFSXoENl6K5yZipIhD3AU2Q1H98i1e7t8LF:qIXpMKwsIhD33H9pYR8
Threatray	9'944 similar samples on MalwareBazaar
TLSH	F3E4023121C3BF57E7BB5E71A2B226842E757D27AA30D60D7DCC018D61B1F448E60AB6
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Taskun-9791093-0

Win.Packed.Generickdz-9792504-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-11 07:24:22 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=72opt5gqi2labalaipwgfrijv3uc4ir26sxfqle3kn7gjhkcjhfq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0692a4e8916df354987539ff2781631f65e7b691df4f558b6b510ab5c63bd070

AgentTesla

395aadc58bde92d29449ba1d349f39e73205f9e2794cbbbd397f85796c91de77

AgentTesla

4ac466c76827f1d0ea87e1cd6e58df30d182e89920208ea888f1434b03f2e227

AgentTesla

5e59fdc976c0b0230265eff944a997b11ceb8f088945f03f569d4d49396f43d0

AgentTesla

7c2f0c42ed478e241d2fdb2580915342c5dbd50acc3fafa26908ae73a581eb3f

AgentTesla

b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb

AgentTesla

c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96

AgentTesla

d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16

AgentTesla

f07787fba40b6e3e4e36a0a756db79e78c00f8bb665902c888d18b8e1c770537

AgentTesla

+ 9'934 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201117-7l5fjzl4sj/

Behaviour

Creates scheduled task(s)

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Unpacked files

SH256 hash:

fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb

MD5 hash:

3387b55417833dc977527819b4caceea

SHA1 hash:

f844e6d565e5bafadb1810d0342c5a1d23fe787d

Link:

https://www.unpac.me/results/800d9f7d-aea2-467a-95c7-368518dfb050/

SH256 hash:

5ca5731df14cda850ffabf0ffcd0a43faf5f5c940420de261777bcc317de8812

MD5 hash:

79f454927d128bdb343fb52c3e1f38bd

SHA1 hash:

1e9060e9a8b1097c3865d929f2d7c084159cc339

Link:

https://www.unpac.me/results/800d9f7d-aea2-467a-95c7-368518dfb050/

SH256 hash:

9be1ad616a483be6f65e69a88fd1d6cab6e8217236ac189d8b903f5f8c686832

MD5 hash:

55314db41bfc3877e5ad1250047a77f3

SHA1 hash:

6e21eb482f0a6b719359b3fb56b52abca46a673e

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/800d9f7d-aea2-467a-95c7-368518dfb050/

Parent samples :

fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb
0096dc44d88cb2dc617a69d3b9fef566a848c661f00bee5a85afcb205a33aba9
ae6c488302c04f00a60835db6b955fb8e1eb42f0e73e71873f5b7dc630596755
69cbd1cde514fa34db916c79d034366b291e3ea63917b52ec76bef88060bfce0
bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e
733791b9f0a883fccd3d16935d700144bdfb9e5b8ca2ee4a095fa30ce9c301e5
4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/800d9f7d-aea2-467a-95c7-368518dfb050/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekshen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample