MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 023ba3e1c99ae424ed147f577cda212072bab78ae6bb33f9c3708bf9304fd9d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 023ba3e1c99ae424ed147f577cda212072bab78ae6bb33f9c3708bf9304fd9d6
SHA3-384 hash: 93088e6d686edc390f0428a2cb30fe99a766f42ca188eddb1c5fb9a9eae070d1101fc3be58ff559fba60c312a2752a52
SHA1 hash: d3dd7762316be52ad940b22ec9e8988d96175c9f
MD5 hash: 59c8830cabb71709f15f5451e18db6a4
humanhash: uranus-lamp-illinois-pluto
File name:Payment advice.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'330'688 bytes
First seen:2021-08-02 05:33:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:gxCDmP76DOIofx8Dgofx8DgIqFKXpZepATYvrqJNQOnztstZk2L:gdP76s58Dgo58DgIwKXp4pATwrcNbwZZ
Threatray 7'688 similar samples on MalwareBazaar
TLSH T15A55D0D93941EABBD62C17B55518D4C053A99810D227FBFEBE6222B233E16394F24CF1
dhash icon b271e8e4d4ccf070 (22 x AgentTesla, 14 x Formbook, 11 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
840
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment advice.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 05:56:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d41014a-b3fa-46e3-8d18-760f53f5b97b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175668/
Detection(s):
SecuriteInfo.com.Artemis59C8830CABB7.6221.8593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b74ad38-0295-43da-bd73-17eac723690a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825248
Signature
Drops executable to a common third party application directory
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457658 Sample: Payment advice.pdf.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 34 hosseinsoltani.ir 2->34 40 Yara detected AgentTesla 2->40 42 Yara detected AgentTesla 2->42 44 Sigma detected: Suspicious Double Extension 2->44 46 6 other signatures 2->46 7 firefox.exe 3 2->7         started        10 Payment advice.pdf.exe 3 2->10         started        13 firefox.exe 2 2->13         started        signatures3 process4 file5 48 Multi AV Scanner detection for dropped file 7->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->50 52 Machine Learning detection for dropped file 7->52 56 2 other signatures 7->56 15 firefox.exe 14 4 7->15         started        18 firefox.exe 7->18         started        20 firefox.exe 7->20         started        22 firefox.exe 7->22         started        32 C:\Users\user\...\Payment advice.pdf.exe.log, ASCII 10->32 dropped 54 Injects a PE file into a foreign processes 10->54 24 Payment advice.pdf.exe 17 7 10->24         started        signatures6 process7 dnsIp8 36 192.168.2.1 unknown unknown 15->36 38 hosseinsoltani.ir 185.55.225.19, 80 SERVERPARSIR Iran (ISLAMIC Republic Of) 24->38 28 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32 24->28 dropped 30 C:\Users\user\...\firefox.exe:Zone.Identifier, ASCII 24->30 dropped 58 Drops executable to a common third party application directory 24->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->60 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/023ba3e1c99ae424ed147f577cda212072bab78ae6bb33f9c3708bf9304fd9d6/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 05:35:02 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ai52hyojtlscj3iup5lxzwrbebzlvn4k425th6odocf7smcp3hla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e718cc81b172505bab7576339bb954e9911c79c95c67430355afc493d075a2e
AgentTesla
226055fd9a87d3bb38acb21c4d3dd7222d600003c72fab036286b9b15b233518
AgentTesla
52a2f5a09b78228b44fe6f9dde56cbd8829a5d3d1ebb5bdfc0fce0bd781f1a94
AgentTesla
707895a21d0cca8090751e66bdb5f93f37e4b7e53a217de7e3fb101950117604
AgentTesla
7b24666cf38e0d890f6fe1edf2d87d48fb310e7ebeaba69fe45f91756d4a3447
AgentTesla
8ad0fddce1bb4505448cfa06f72e25ba3fbf10e211cdbae670b2d22018d1bb8d
AgentTesla
9805afbc4ec53bea5c08ab912445f1a9e34791eeaaba6c8ec0d50223e2c6005b
AgentTesla
cd39582c37832642af07733f3445011cd7be2b753d70784fce6815ec754f93a0
AgentTesla
d52a546ff7266c7357725076685dd54b11d1616423cd80fffd71d519df0811f0
AgentTesla
edc35a30929551065c11f8606ebe20772d1fbf3aeaf35e60f3117cf28361ac9b
AgentTesla
+ 7'678 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210802-r9zaejy2j2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
http://hosseinsoltani.ir/wp-includes/q/inc/fee9696d169ef9.php
Unpacked files
SH256 hash:
2d22d96ba711a89454b0070c145515026bb33b5697ebe4962edb4f23fada824d
MD5 hash:
83e212283b44a84a2a659b9a47bea43f
SHA1 hash:
d64bf397c9f35ba107fadc126de18da7879077ed
Link:
https://www.unpac.me/results/b4f93ce0-8207-420b-9280-d0855ab4432a/
SH256 hash:
499c2d7ebd33801a1a97875026642e41d469758acf85c8e4b312b89e890c2855
MD5 hash:
d364dbca23fc8453b3fad252ca4016dc
SHA1 hash:
8f85efd47fb876216439623623e17b114e0f4c5d
Link:
https://www.unpac.me/results/b4f93ce0-8207-420b-9280-d0855ab4432a/
SH256 hash:
cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c
MD5 hash:
a0f625a3d3348903f3c902f588c0e4f5
SHA1 hash:
20d1f0b74abe6f500e8c21119f55281926210ac0
Link:
https://www.unpac.me/results/b4f93ce0-8207-420b-9280-d0855ab4432a/
SH256 hash:
023ba3e1c99ae424ed147f577cda212072bab78ae6bb33f9c3708bf9304fd9d6
MD5 hash:
59c8830cabb71709f15f5451e18db6a4
SHA1 hash:
d3dd7762316be52ad940b22ec9e8988d96175c9f
Link:
https://www.unpac.me/results/b4f93ce0-8207-420b-9280-d0855ab4432a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/023ba3e1c99ae424ed147f577cda212072bab78ae6bb33f9c3708bf9304fd9d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 023ba3e1c99ae424ed147f577cda212072bab78ae6bb33f9c3708bf9304fd9d6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175668/

Comments