MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
SHA3-384 hash: ad9b7dd6ffda482ad1ae03165a05d9fd4843b771436127d0c7332fce401801b8ac8d2b826f24b5e295ee8d24ba68ecbb
SHA1 hash: e68001b82f9119ab55d7e915088d56091c52f0e5
MD5 hash: 3e8d0f55c2a870ced46e767c9cac6870
humanhash: carolina-carpet-colorado-seventeen
File name:Mv Bottiglieri Sophie Green - PDA FORMAT.docx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:535'040 bytes
First seen:2021-07-12 05:36:51 UTC
Last seen:2021-07-12 06:57:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:9TW8uCJjuCn6iQUB8CHPku8TvKNK6KSK1XoMMmJu0kgRUl443loGSrOKmSjEfVrL:9TW2spx1X1MmJpkgelBK0HSjEfVrL
Threatray 6'865 similar samples on MalwareBazaar
TLSH T185B4F192A620EC39C6AB45F7DEE1A75465B3AF07EC74C58170BD73B46B33F906902218
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Mv Bottiglieri Sophie Green - PDA FORMAT.docx.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-12 05:44:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83a4418e-065f-4382-90a8-6f5ae41a2da9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170876/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.919.16246.1517.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/872beaf3-a23d-4a56-82f8-06f78b3f4a36
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814515
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 10:36:15 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aynbpmxxn5yxcxoec3d7ug5kefp2bokdp27rj6uvukqwech4j2gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
AgentTesla
4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55
AgentTesla
750ac1c22fae6298acf85f62700ebbc8ccd8aff1f3ff20b28d8baa075a73c4bf
AgentTesla
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
AgentTesla
a2116a39b0f6ba02799d74e44c3521e530685b6726b4443060a142f639d597d6
AgentTesla
abfd412e775e8a81efbd61484a67de9aed008c0e51910d9d8a9051c4ea9856b3
AgentTesla
b399203403e92ab8865f492c93233be4d4d1ac1316c571b43171a052c7b214d7
AgentTesla
b54106089f5aa0b97aca6eb87655113e0629010b71d0a47c34d7dfaee54f0891
AgentTesla
cbf445acf88f00bf98448420369d09bb35264d53667272e3363fae6378fa7a1b
AgentTesla
d23d794e3cf354c91c283e13eaeae77749e3265866758d999b99c06a98861a05
AgentTesla
+ 6'855 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210712-hnlqx11cfs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
e6618dfbdba864e6c92a17a597bd77f76931f2915460366053dd96fecdcd105b
MD5 hash:
822cde97cfc11834bdce078e1b64788a
SHA1 hash:
b68f3ad9b43d21b067f6444b27c3f4cde166b5e8
Link:
https://www.unpac.me/results/f44790d0-ae0f-4aeb-9f6b-4b3b32b81342/
SH256 hash:
218d4efdaa07a08160e2e89ef3524bfa86943d235a77c4f809fa028ad11cdd90
MD5 hash:
8f224a39599ec675260ba99353d570a7
SHA1 hash:
8c4b76c41ba71a6a60a00bbd6624f9cac135af6c
Link:
https://www.unpac.me/results/f44790d0-ae0f-4aeb-9f6b-4b3b32b81342/
SH256 hash:
c52a46ea986d85fd8e3bb182b5adb1027ab9e32fd5d0b21d66a7d5abb8cc6376
MD5 hash:
b3ffbfbc77a3b66824d900b6ceed6213
SHA1 hash:
3927acfbbf7db84d1d933095827c2a1a99852574
Link:
https://www.unpac.me/results/f44790d0-ae0f-4aeb-9f6b-4b3b32b81342/
SH256 hash:
0624a81c7d85ade1e4779ed372231cd2fde3ed15561fd1acaec137683dccc9a7
MD5 hash:
47c2cdad788fcaf266eeead11f03ba0a
SHA1 hash:
17deaab2e46cf7a2d9fc99db71da223794373a80
Link:
https://www.unpac.me/results/f44790d0-ae0f-4aeb-9f6b-4b3b32b81342/
SH256 hash:
b4da742dafb2ac683525719c2a12917235fe1c304de44041d4a1f9d1bdb4419c
MD5 hash:
96354936859b2a25c649bb7d853c47c8
SHA1 hash:
054f2caf048e9f65a26ad07a4fa830fb6592b769
Link:
https://www.unpac.me/results/f44790d0-ae0f-4aeb-9f6b-4b3b32b81342/
SH256 hash:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
MD5 hash:
3e8d0f55c2a870ced46e767c9cac6870
SHA1 hash:
e68001b82f9119ab55d7e915088d56091c52f0e5
Link:
https://www.unpac.me/results/f44790d0-ae0f-4aeb-9f6b-4b3b32b81342/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170876/

Comments