MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8d6e647d8611efee71472288c0959d0e7f2950e1bbd226877872de5fc4beeab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	e8d6e647d8611efee71472288c0959d0e7f2950e1bbd226877872de5fc4beeab
SHA3-384 hash:	98269287f831c6f22396af268f7ec7baa568e175ac648159bc5db99b9fa30245ff7f96b87a7078e53f1f3c982e3a5a89
SHA1 hash:	d7ddf8ea33e17a0850e02be9db52d999e2d4353b
MD5 hash:	36985f78fc46edf45ccc0f229cdf6564
humanhash:	single-orange-illinois-skylark
File name:	NEW PURCHASE ORDER FOR AUGUST.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	676'352 bytes
First seen:	2020-08-15 17:23:37 UTC
Last seen:	2020-08-17 13:33:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:Av4EcmZHAFaxmVmie9bngP0KOPw9+Ce1Xsy2PBvP+tPaVnoDojzL8P7r9r/+pppf:44EcmZHAFaxmVmie9bngPxOPAuXR25oa
Threatray	9 similar samples on MalwareBazaar
TLSH	4EE47B88F49065A1EDE89BB16A36CC3443233FA96835991F28DD3D673BFB7D22025417
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: appareltech.co.kr
Sending IP: 103.99.1.149
From: Mr.Cuong(Appareltech) <appareltechvn3@appareltech.co.kr>
Subject: [COLUMBIA] Purchase Order for 04/30 BUY_F20_SHANGHAI JIUYU_ATC VN
Attachment: NEW PURCHASE ORDER FOR AUGUST.zip (contains "NEW PURCHASE ORDER FOR AUGUST.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/46332/

Detection(s):

SecuriteInfo.com.Variant.Ursu.435286.10963.12734.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/432073

Signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8d6e647d8611efee71472288c0959d0e7f2950e1bbd226877872de5fc4beeab/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-15 16:21:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5dlomr6ymepp5zyuoiuiyckz2dt7ffiodo6se2dxq4w6l7cl52vq._file

Verdict:

unknown

AgentTesla

0fa2721f9583ee945d3909290c0ead73dcf4e3cb5739a6f4423f3da6899fd602

AgentTesla

73608da475a8f39de003de8d1bfbc1c00e3481b0bbd2034d2e74ad949d626f99

AgentTesla

bf1016ffb1ecdff1fa7b2b6773ee693cfc6e7e16bdfc467639fe9b60a7c9c668

AgentTesla

c2384159db2fb98c982b2720d78622dab53020509d3889dfe91d8c3ba21e0e1c

AgentTesla

def3e87e1a17d970c000924de61ae6f4fd93607741cc21ccd43c3198738759da

AgentTesla

f3df7d3bb9a05ff881cec0a5947916d08030d2424c8a233820dff5e92a95f4a5

AgentTesla

f5c20b9e96fde1f84b7578a3f29a00f96e161c9bbdfac2675fcd253b41627a9e

AgentTesla

f8113167cfaf623d5c08b33685577743fb96bd3daca2cd915d8b3efe81ad3a8b

AgentTesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla persistence

Link:

https://tria.ge/reports/200815-d5bccqc2ln/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.66

Link:

https://yomi.yoroi.company/submissions/e8d6e647d8611efee71472288c0959d0e7f2950e1bbd226877872de5fc4beeab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_cannon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator