MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0afbb2d6b0c38e92e6456bc50d374ce79065bd39f90c0898fd96ed3aa2428e9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0afbb2d6b0c38e92e6456bc50d374ce79065bd39f90c0898fd96ed3aa2428e9f
SHA3-384 hash: 5b3ca38941d841cc4b2a56dee33abbad6bce8a4cc85690046d4bc340666b4791d80a2616918d5c2a5b1f45606a89b91d
SHA1 hash: dc9152104b1ea18c79cd6b15b6cd8160b4e5c13f
MD5 hash: 6b1e934f92552b16b03103cd020e7815
humanhash: wyoming-nineteen-berlin-fourteen
File name:order_655718476_08.12.2020_08.12.2020_.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'052'176 bytes
First seen:2020-12-17 08:40:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:o23y+exEjZ7+GIlqQKojvNWgSaO0vSjiO4y:o23y+exEjZSG0qQKojvNFS+S4y
Threatray 1'862 similar samples on MalwareBazaar
TLSH F9E57B5C3C43309F768A40B456DB56E892DA311815B02B39ACE7247CEA1DDA77CDF8B2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pablo.sineer.web.tr
Sending IP: 89.43.29.119
From: import - export <info@aldemirlerltd.com>
Subject: Urgent Inquiry
Attachment: order_655718476_08.12.2020_08.12.2020_.rar (contains "order_655718476_08.12.2020_08.12.2020_.exe")

AgentTesla SMTP exfil server:
mail.sidecrown.com:587

AgentTesla SMTP exfil email address:
palacemutfak@sidecrown.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order_655718476_08.12.2020_08.12.2020_.rar
Verdict:
Malicious activity
Analysis date:
2020-12-17 13:33:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ffc6116-7a39-43c2-828f-8e6a377aaa1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Mal.Generic-S.20869.10496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/565244
Signature
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331708 Sample: order_655718476_08.12.2020_... Startdate: 17/12/2020 Architecture: WINDOWS Score: 92 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AgentTesla 2->35 37 Initial sample is a PE file and has a suspicious name 2->37 6 order_655718476_08.12.2020_08.12.2020_.exe 3 5 2->6         started        10 order_655718476_08.12.2020_08.12.2020_.exe 2 2->10         started        12 order_655718476_08.12.2020_08.12.2020_.exe 2 2->12         started        14 3 other processes 2->14 process3 file4 25 order_655718476_08...020_08.12.2020_.exe, PE32 6->25 dropped 27 order_655718476_08...exe:Zone.Identifier, ASCII 6->27 dropped 29 order_655718476_08...08.12.2020_.exe.log, ASCII 6->29 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->43 45 Creates an undocumented autostart registry key 6->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->47 49 3 other signatures 6->49 16 order_655718476_08.12.2020_08.12.2020_.exe 2 6->16         started        18 wuapihost.exe 10->18         started        21 order_655718476_08.12.2020_08.12.2020_.exe 2 10->21         started        23 order_655718476_08.12.2020_08.12.2020_.exe 12->23         started        signatures5 process6 signatures7 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0afbb2d6b0c38e92e6456bc50d374ce79065bd39f90c0898fd96ed3aa2428e9f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 04:44:02 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bl53fvvqyohjfzsfnpcq2n2m46iglpjz7egargh5s3wtviscr2pq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12885b0462e6977afc7c42d03c8e039a5df25f70b610177b8e02f6642847584b
AgentTesla
3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232
AgentTesla
3be787bec6c661048c534c126761c2be937e70cb5ce8f1922cca5f4f22106b54
AgentTesla
51d5859f266a7b373d71b9fd71d2eec4975a8d35fb01486f624b9235120e12d8
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb
AgentTesla
e01ebcaeb9a4d013354443b10df0a2280861bb290e7c88bc32055dbfbfaa2065
AgentTesla
ede0c266836e85d1ac3bc623377fda09bb0135a9746a0ecde6d7c52c7eddfc24
AgentTesla
+ 1'852 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201217-kqxp6822nn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
AgentTesla
Unpacked files
SH256 hash:
0afbb2d6b0c38e92e6456bc50d374ce79065bd39f90c0898fd96ed3aa2428e9f
MD5 hash:
6b1e934f92552b16b03103cd020e7815
SHA1 hash:
dc9152104b1ea18c79cd6b15b6cd8160b4e5c13f
Link:
https://www.unpac.me/results/cbc15f86-5241-4562-b2ef-64cfa08831d3/
SH256 hash:
66906335000be30c46962fc5a6deda1341403a71550a4cf45187d7271a7359de
MD5 hash:
4da3f4404168ba14d599658059e73725
SHA1 hash:
0950d43836ea96b1eaa8c4d23100296c43dfa01f
Link:
https://www.unpac.me/results/cbc15f86-5241-4562-b2ef-64cfa08831d3/
SH256 hash:
9c11040bc5628b2e84eafee55c948796a88b07b62517b608e8d54950ba76a099
MD5 hash:
d85b4be4daca29538fac7af56c66eaaa
SHA1 hash:
1fe2732ab93488ce61f02c416a907bbe8c236d1e
Link:
https://www.unpac.me/results/cbc15f86-5241-4562-b2ef-64cfa08831d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0afbb2d6b0c38e92e6456bc50d374ce79065bd39f90c0898fd96ed3aa2428e9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f54b5e3e89496a22f582ac3b79fb27836c37ed8f7c933ee90247000ba70b21b8

AgentTesla

Executable exe 0afbb2d6b0c38e92e6456bc50d374ce79065bd39f90c0898fd96ed3aa2428e9f

(this sample)

  
Dropped by
MD5 9ce9cd849143011a5255914d6eb14e10
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f54b5e3e89496a22f582ac3b79fb27836c37ed8f7c933ee90247000ba70b21b8

Comments