MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
SHA3-384 hash: 945e9d5ee3722f8861003f6b96b315be701604223eb52decbbf4b3f015f7d330419ea1b43cd9401edb935cf8fadde869
SHA1 hash: 4a58e22af89d30a1b9d2ba429ff5beb16d1bcab9
MD5 hash: 28c20dfc4b76af746219e983fb1d4b5a
humanhash: beryllium-undress-golf-violet
File name:PURCHASE ORDER NO. PO2000254.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:596'992 bytes
First seen:2020-10-22 06:48:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:t09A1GKZHNYPzodnaWghFAtdVG8hf5Z2ekZwghMiaQZnfWYl:CA1GUKzodaDAtdB5Z2eInhjaQ9fWY
Threatray 727 similar samples on MalwareBazaar
TLSH BEC4025560A9EB32E2BE8BF2305C050493F2116E57F2E7644EE377EA7A50F054B90E63
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pearltech.com.my
Sending IP: 95.211.121.204
From: Nur Fattin <nurfattin@pearltech.com.my>
Reply-To: liangchiphlippines@gmail.com
Subject: PURCHASE ORDER NO.: PO2000254
Attachment: PURCHASE ORDER NO. PO2000254.gz (contains "PURCHASE ORDER NO. PO2000254.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74483/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506679
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 02:22:15 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=alsceolowerrijlv4doo5h3ctfa4ijkdv2edtkjr4lgi537mxhca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
AgentTesla
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
AgentTesla
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
AgentTesla
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
AgentTesla
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
AgentTesla
9a6e3d08a19f78c4910503262e775bfeda3c3b53ea5e86e5430e1d4b4c92a6f8
AgentTesla
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
AgentTesla
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
AgentTesla
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
AgentTesla
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
AgentTesla
+ 717 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201022-pgwhh6xyf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
MD5 hash:
28c20dfc4b76af746219e983fb1d4b5a
SHA1 hash:
4a58e22af89d30a1b9d2ba429ff5beb16d1bcab9
Link:
https://www.unpac.me/results/bf4ae420-6bf0-4a1f-8bee-796a66cba760/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/bf4ae420-6bf0-4a1f-8bee-796a66cba760/
SH256 hash:
7abde5f300ad27a2a6ba3f93b787e25b533ca018031e8e98b610faf852936c4c
MD5 hash:
cec00f778754927db883dc2c916ff124
SHA1 hash:
63fdc9bdce0779dc9c260a6311a20ee67e01b4e0
Link:
https://www.unpac.me/results/bf4ae420-6bf0-4a1f-8bee-796a66cba760/
SH256 hash:
97538719d345c8a01cca40ac92ffe0f8bb6faaefcc750b7b6ca4c60cf1780eeb
MD5 hash:
581dbf4539e0390f220dc38fdba41662
SHA1 hash:
fdad0886bbdd7fc49f72faeb45f1a554e6931657
Link:
https://www.unpac.me/results/bf4ae420-6bf0-4a1f-8bee-796a66cba760/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 7e928eb315ef03052f34a3af0b3c5758532d33c0fbc7aafe695630a865c77103

AgentTesla

Executable exe 02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4

(this sample)

  
Dropped by
MD5 377d45c22c1417aa9db229d94173d14b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74483/
  
Dropped by
SHA256 7e928eb315ef03052f34a3af0b3c5758532d33c0fbc7aafe695630a865c77103

Comments