MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1
SHA3-384 hash: fbc1471e6a3ef4dbfffdad5c6a58276f48103ca40c4200cf8d6ebfa17062aa03a7e21a6932a495bdd013654115f6efcb
SHA1 hash: 41ddc7ab8df3cf9beabcd10f7358028a65b76ba1
MD5 hash: 3c86a6495cd781d45c1545152d73bd3f
humanhash: item-mexico-spaghetti-hydrogen
File name:payment notification.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:465'920 bytes
First seen:2021-04-06 08:13:54 UTC
Last seen:2021-04-06 18:59:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:oAuEKbuVbigwm6nVAN8Uc/n6r60/VDUSY4tumdv9yVjfaN5MI8g3yfYnV4hfLC:wsPpIV1Fn6OAVo1ToOg3ef2
Threatray 3'828 similar samples on MalwareBazaar
TLSH 28A4D0957737AD5DC6080F32E83788B972F5D036A126E72BF8F836D41836699433A613
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.wemoveultd-ss.com
Sending IP: 194.31.96.133
From: Mohammed <moh@consultragroup.com>
Subject: Re: Invoice
Attachment: payment notification.gz (contains "payment notification.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment notification.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-06 08:30:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8dc5fa56-057c-4da2-ba5b-008dd0162285

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132604/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46031737.8548.27660.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667297
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 08:05:05 UTC
AV detection:
20 of 48 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbpsk5tujvjr5kufcwzhkvbibhtdqu4xxfphgxsuy7nnigge4daq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fc02fb4b07f919a0ff54d7e3ef0ca5fa9581fc26fa311e44338c32590f36a3b
AgentTesla
5b8e5eaab8f48bd7ac92bf7437383abc5182ec3667443de0aee1f5d2b8711750
AgentTesla
826298b4d035818be292a13b27215db4d94733f28df50f94e9a93a5d3fea2190
AgentTesla
841b06b50c50fb14aa583956475f860d25ce4180d9cd7d26090cc96cea3903eb
AgentTesla
869147dc42f117713c1b9070d615deda8ff7d7baf8c5baea4ccee3c21829fa96
AgentTesla
87fde2e49507d58cdcc464c5d3e36d322c7f77a4f9e5cc0f1a46455f1a67df5c
AgentTesla
8cdb536378c7a12bb65333b52664cb99cd74a8b14afbc1b74ae73111b8edfc57
AgentTesla
d01b3522dd2a17cd248709a670e7da25be8ab17565848e76b1087d1d1e11fe33
AgentTesla
e0cb1fe1256cbf26178ffac07b55cdbd9ed9e9cd53d1d2642f8ba43db84cf8b4
AgentTesla
ea38d6c624c939a89adfd073dbd1253e6126ab202b84dac07c3d362f2b528adf
AgentTesla
+ 3'818 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210406-q428l99at2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1
MD5 hash:
3c86a6495cd781d45c1545152d73bd3f
SHA1 hash:
41ddc7ab8df3cf9beabcd10f7358028a65b76ba1
Link:
https://www.unpac.me/results/9efc937a-051e-437b-8703-c3b5cdc64858/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 870e8f1969f0bfc68f88ea06a45b087a8ec73e1cb6c650a0934578b24a40bfba

AgentTesla

Executable exe 105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1

(this sample)

  
Dropped by
MD5 0a62e153be3274d00705da9af9e73298
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132604/
  
Dropped by
SHA256 870e8f1969f0bfc68f88ea06a45b087a8ec73e1cb6c650a0934578b24a40bfba

Comments