MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
SHA3-384 hash: 3bf2d65ff2a89bfb8e4458c0d5d87416384c32bea6dc519d00f5cfa991d435a9d05aba553c64d101e47c773e09df9e41
SHA1 hash: ece8f9af51fbf8071019484bd34e17aaa25d9feb
MD5 hash: a161196819b26398f780796785ffdd67
humanhash: yankee-skylark-king-texas
File name:ORDINI N. 278 - 279.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:599'552 bytes
First seen:2020-10-15 12:05:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dLXojGQrarHOobjayUrkzP4ey+MJpn2hGhWDwBP:dLXuGQr6HOo3ayUo0W
Threatray 103 similar samples on MalwareBazaar
TLSH 41D48FB86E4C966EF95F4D73C89D18D351287C5F0D87F2C768032AD88C2A251DAB24BD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Ordini - Agenzia Malizia <ordini@agenziamalizia.it>
Subject: ORDINI N. 278 - 279
Attachment: ORDINI N. 278 - 279.img (contains "ORDINI N. 278 - 279.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71356/
Detection(s):
SecuriteInfo.com.AdWare.MSIL.Testing24.27417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492294
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 10:32:25 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4n2n6u656ae2uufgtbpymkdmwvvusznz765sdvsx75kxrl2xgdq._file
Verdict:
unknown
Similar samples:
7666a9640caa1cd3032c124ae3b763f280cae9da5028586721e3aed9f476bf2d
AgentTesla
879f98e73afed5c6189c48268f35e2ee021df914e2e612b7568ae1eb4c5f5d16
AgentTesla
a0ab439553d3bee9b31115fa8b106d1ba6622b4b7c97e695814ed8724d52663e
AgentTesla
ad47a95274571e9bb73b9afeea618dbbbcf5c859b422b14a5d307116d98b7f9f
AgentTesla
c2a3baf11e6dda4c99e5ec516fe3bdfa0717a1383ca08468ec00ef6f41c8ef50
AgentTesla
d24bb55f5d9a39c42a96837653c4821ee9406d0896199db1b54cc3078b002547
AgentTesla
da17b064bf15e59d7b4866980857a224501221ba8540003d2e69ceed8f6315e5
AgentTesla
e8da65e395c309509563df99675f2ddaa5339b55fd944867a479ffc5d3639946
AgentTesla
eafe80f90a3a9a02cea6165309b01aab3ab9b7eab9401342b665e8fdefc65869
AgentTesla
f6e9e7b2c851a45cf6cadddf0d3481033fc84e0d6f1bbf817f70cb2b837aeecc
AgentTesla
+ 93 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201015-jhjdq3av2n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
MD5 hash:
a161196819b26398f780796785ffdd67
SHA1 hash:
ece8f9af51fbf8071019484bd34e17aaa25d9feb
Link:
https://www.unpac.me/results/6fd17f42-663f-4a56-a1e5-073bcd5dd12e/
SH256 hash:
76008bf0121e5528405f038435b9cf6d6a6179266aac179c267a97b73b133663
MD5 hash:
ae6fb1945f11af839bf9f136a60edd53
SHA1 hash:
ee5a80c97b838cff8ae09e6e2e2227af485050f7
Link:
https://www.unpac.me/results/6fd17f42-663f-4a56-a1e5-073bcd5dd12e/
SH256 hash:
b192a77891224d76c1c1eec544ad3aa2f5125925aff59af336ad010f287c4776
MD5 hash:
dd408c2aadd8229051e43b866aedf07e
SHA1 hash:
f73fc46afe3c4e6f79fdfc6e7d11fad84f93ecd9
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/6fd17f42-663f-4a56-a1e5-073bcd5dd12e/
Parent samples :
071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 6417b8a990eb5797f334447514065a872c25ef31d5de59dfecd89d681c997fe5

AgentTesla

Executable exe 071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987

(this sample)

  
Dropped by
MD5 3cb8a9b779ebb2e830b9d40fe3e78d6a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71356/
  
Dropped by
SHA256 6417b8a990eb5797f334447514065a872c25ef31d5de59dfecd89d681c997fe5

Comments