MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4
SHA3-384 hash: fd2b376a93c6e547b0b002bf81cf4e2833018b7fddb79123b7ba6c93addc49a76d555055373275dc04a486249d9d345a
SHA1 hash: 4cce9d51b8267907910afa9ca6557cbbd7e565da
MD5 hash: 107ed910d166962a4bdd61d51b023f81
humanhash: lion-apart-berlin-winner
File name:New year First Purchase Order001072021IPO110.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:306'176 bytes
First seen:2021-01-07 14:07:54 UTC
Last seen:2021-01-07 15:31:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6472a7ccd1da067e7b403665d9e64dff (2 x AgentTesla, 2 x Formbook)
ssdeep 6144:aZMbyxCAmiYnYgu1XE63/rhALkKZ2Et2UACPl3D9PTPvaKc3eyT4wA3wIYH:aZMbwzYYgu16LHF2UdJ9bGOyT4nwlH
Threatray 2'093 similar samples on MalwareBazaar
TLSH D4542279DCD98862D651333FB7BF3AE2DC272594D0F470A8A8060624F255827E22C79B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cpnl.dataconsulting.gr
Sending IP: 185.78.220.104
From: info@geoimaging.com.cy
Reply-To: Aristodemos Anastasiades <purchasemanager001@yandex.com>
Subject: New year First Purchase Order001072021IPO110LPO
Attachment: New year First Purchase Order001072021IPO110.7z (contains "New year First Purchase Order001072021IPO110.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New year First Purchase Order001072021IPO110.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-07 14:33:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/96f1a684-2cc0-45e7-a33b-fdf0fcc4addf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110844/
Detection(s):
SecuriteInfo.com.Artemis107ED910D166.12578.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/575875
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336991 Sample: New year First Purchase Ord... Startdate: 07/01/2021 Architecture: WINDOWS Score: 76 24 Antivirus / Scanner detection for submitted sample 2->24 26 Yara detected AgentTesla 2->26 28 .NET source code contains very large array initializations 2->28 30 3 other signatures 2->30 9 New year First Purchase Order001072021IPO110.exe 2->9         started        process3 process4 11 New year First Purchase Order001072021IPO110.exe 9->11         started        13 New year First Purchase Order001072021IPO110.exe 9->13         started        process5 15 New year First Purchase Order001072021IPO110.exe 11->15         started        18 New year First Purchase Order001072021IPO110.exe 11->18         started        signatures6 32 Maps a DLL or memory area into another process 15->32 20 New year First Purchase Order001072021IPO110.exe 2 15->20         started        process7 process8 22 dw20.exe 22 6 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4/
Threat name:
Win32.Worm.SpyBot
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 14:08:19 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cc44m3ax2lsvtmdxbrshhbqzivdkj5scipubh6rgpdfx66ywuxka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fdcf2e9b24b61f7772652645c29ab2f0e1368fc3d83dfa6f206a4dae1b21ad6
AgentTesla
122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967
AgentTesla
20b2ef9bcd6d0a405c7c3e1f7fc2fe01851838451528faaeb22bb9694435002f
AgentTesla
5359d2f2d3a0cfec993a2d15a30db38289a02d3fda4acb8843750ec50ed344e8
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
8cdb536378c7a12bb65333b52664cb99cd74a8b14afbc1b74ae73111b8edfc57
AgentTesla
a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641
AgentTesla
b5aeb6d277320df561d9bb77a95e976c5527c17441292ec7b5bafc441fe746d0
AgentTesla
c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25
AgentTesla
f3ba2b7b17b659d41e6794dc0aeae05bb1d3f5d21dad10d5064e24f85bde7b22
AgentTesla
+ 2'083 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/210107-nchd3hfwqs/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
6b121e62e5b7fff2b5d67c54d18556f44940c366bc8f994576b997c389648d94
MD5 hash:
09e0a16e8bd80993f67f8b210d1e26bf
SHA1 hash:
c96836c5359d04128e24331efbeed61123c92533
Link:
https://www.unpac.me/results/dc12afd3-bc25-4cc0-a87a-5765a70fcfe6/
SH256 hash:
c6d3df0cbecf7a0b5d843dd106777c925df0b080096bb76dbf4e4831838fd426
MD5 hash:
886dfe89c22820bf5583975e9c92d8d8
SHA1 hash:
1ee7c2a4b920146b033be02e521ccbe189e12916
Link:
https://www.unpac.me/results/dc12afd3-bc25-4cc0-a87a-5765a70fcfe6/
SH256 hash:
10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4
MD5 hash:
107ed910d166962a4bdd61d51b023f81
SHA1 hash:
4cce9d51b8267907910afa9ca6557cbbd7e565da
Link:
https://www.unpac.me/results/dc12afd3-bc25-4cc0-a87a-5765a70fcfe6/
SH256 hash:
d4fbb334ded8e7716f791c20cc68c3009d0a3c01fc78680a23f81c47dd1f2971
MD5 hash:
1ea6fa0f41b9d6382f915e1bf9f872a8
SHA1 hash:
9978e413fb7f251a2deac0f56c7ef0ef36f954ee
Link:
https://www.unpac.me/results/dc12afd3-bc25-4cc0-a87a-5765a70fcfe6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.82
Link:
https://yomi.yoroi.company/submissions/10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 7c5a0b97a70fb4b4a502da885d0145b776dd93d94010211a223be84f0a19bc98

AgentTesla

Executable exe 10b9c66c17d2e559b0770c647386194546a4f64243e813fa2678cb7f7b16a5d4

(this sample)

  
Dropped by
MD5 cc7be7ed30fe8be041509949a92d0d69
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110844/
  
Dropped by
SHA256 7c5a0b97a70fb4b4a502da885d0145b776dd93d94010211a223be84f0a19bc98

Comments