MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a69fc935a85ac7d81899516e6eb368cc9a2d32ef2fe49f17b5e8d531fe9fe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02a69fc935a85ac7d81899516e6eb368cc9a2d32ef2fe49f17b5e8d531fe9fe8
SHA3-384 hash: 8ca78d03c4e451950e4c1ec4cf9c9345e729e4f793fcbb288943ad0e4940c011b250ef24fbf8584a4b2c73d1b5f08a41
SHA1 hash: cf16159392359691f28c9a39b478f771819f81e8
MD5 hash: 7470bbb2c941ab599e76e11a7c6f62a2
humanhash: west-stairway-west-coffee
File name:Payment Advice DOC 03222021_PDDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'052'160 bytes
First seen:2021-03-22 07:28:33 UTC
Last seen:2021-03-22 13:03:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:rx2GAmRnZRfP8AYaU2m4G0g9vbtbgiljEPoW9QCljVxAvKdm74CYt:rhGdj2yxbgvPnQChV+vKGTY
Threatray 7 similar samples on MalwareBazaar
TLSH 0325280523D96B88E27A977594750016C7F9BD09EB32EFADAD9470DA0A71B01CB37332
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ir.netease.com
Sending IP: 31.210.20.196
From: Erkhembileg Tumurkhuyag <noreply@ir.netease.com>
Subject: Payment Advice
Attachment: Payment Advice DOC 03222021_PDDF.gz (contains "Payment Advice DOC 03222021_PDDF.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice DOC 03222021_PDDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-22 07:32:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e5d84457-1901-457f-ac9a-9d38d0f7b4b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.594.23270.15356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647414
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02a69fc935a85ac7d81899516e6eb368cc9a2d32ef2fe49f17b5e8d531fe9fe8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 02:36:35 UTC
AV detection:
3 of 47 (6.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aktj7sjvvbnmpwaytfiw43vtndgjuljs54x6jhyxwxunkmp6t7ua._file
Verdict:
unknown
Similar samples:
2abef54041681b9251673959524c002821e9e90483c7cdc0e3668bf2cc2c91ce
AgentTesla
4b50cfdb80f97772bf9db74da5beaabe27ea414599f1c702c1a5014643413c97
AgentTesla
58626b2130d20a2bacbcefa97d06dc1e4d55b123a86a3f074bd2e8212ee60ae8
AgentTesla
9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80
AgentTesla
96be17cdcc9ea6acc0cb3ff4e463ad708b4abba9e66804040294b7c7dbdaf4a8
AgentTesla
9a312ce83cf5bb827d5a150688db81bc3d423792e452743b904e1006eacdd47d
AgentTesla
c606b9a9266efd06f8db163bced0cea6e69bcaf88185f29bb364289f7a067eaf
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210322-5tpj2vfyha/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c22b9993fd6abea236edcc1bf476bcd4a09015b4af09eedf660a43bf3d29a16f
MD5 hash:
1d1234ba19c430923b22f531bb19b369
SHA1 hash:
9868c1e97a3be16100a61b5ee1f7d2838b4782a8
Link:
https://www.unpac.me/results/59455f52-303a-40bc-bde2-8b15e5c16f02/
SH256 hash:
02a69fc935a85ac7d81899516e6eb368cc9a2d32ef2fe49f17b5e8d531fe9fe8
MD5 hash:
7470bbb2c941ab599e76e11a7c6f62a2
SHA1 hash:
cf16159392359691f28c9a39b478f771819f81e8
Link:
https://www.unpac.me/results/59455f52-303a-40bc-bde2-8b15e5c16f02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02a69fc935a85ac7d81899516e6eb368cc9a2d32ef2fe49f17b5e8d531fe9fe8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz e7b97130b3450ae3d643293c19d5bb5c99e4040109b0d2aafa1bf6a167a4a7af

AgentTesla

Executable exe 02a69fc935a85ac7d81899516e6eb368cc9a2d32ef2fe49f17b5e8d531fe9fe8

(this sample)

  
Dropped by
MD5 af237862175551d656cb6e558487aff2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e7b97130b3450ae3d643293c19d5bb5c99e4040109b0d2aafa1bf6a167a4a7af

Comments