MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1103c8bce611da075ffa20426295a4f84b2409378c774dc32ca9edf968cd8a29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1103c8bce611da075ffa20426295a4f84b2409378c774dc32ca9edf968cd8a29
SHA3-384 hash: c0f7ba82d8a0a697b14114bd4d56e7add390babf777580a9d8ef423e8441548622f1c8744ecb628d920a67a33cb8a759
SHA1 hash: e1b8db8001856058c19c2725027b25992fbed0e2
MD5 hash: b7a9f6dbd9f853af91f2efe391e8be04
humanhash: four-juliet-ceiling-nebraska
File name:MV HONGSHENG 7 PDA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:32'312 bytes
First seen:2021-04-05 06:31:03 UTC
Last seen:2021-04-05 08:24:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:idjM22eVe67gVFUPodS6zvVZhyDnLO9SxUAO/QeA3z8qmQ1rFa8/fwr8SXBQfymi:W7xVp7gVFUPodS6zvVZhyDnLO9SxUAOV
Threatray 3'766 similar samples on MalwareBazaar
TLSH 7FE209F856DD9CEEC8B78F3908F104258674C6D06A72DF2F1C4AC8A064167DA27B961F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gac.com
Sending IP: 103.99.1.148
From: Gac Shipping Cochin <shipping.cochin@gac.com>
Subject: MV HONGSHENG 7 / PORT ENQUIRY FOR LOADING 20000MT STL CARGO AT CHENNAI (GAIN0281500E)
Attachment: MV HONGSHENG 7 PDA.zip (contains "MV HONGSHENG 7 PDA.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV HONGSHENG 7 PDA.exe
Verdict:
Malicious activity
Analysis date:
2021-04-05 06:46:29 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/c0ae31db-1238-4219-bf81-f5f7adb99457

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132156/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.2826.23751.12337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39bde2ae-ec1f-40d3-8a5c-245670720d4d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/665810
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381831 Sample: MV HONGSHENG 7  PDA.exe Startdate: 05/04/2021 Architecture: WINDOWS Score: 84 26 Found malware configuration 2->26 28 Yara detected AgentTesla 2->28 30 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->30 32 3 other signatures 2->32 7 MV HONGSHENG 7  PDA.exe 15 8 2->7         started        11 WerFault.exe 2->11         started        process3 dnsIp4 24 asdcqwdwqx.gq 104.21.15.11, 49700, 80 CLOUDFLARENETUS United States 7->24 34 Hides threads from debuggers 7->34 36 Injects a PE file into a foreign processes 7->36 13 MV HONGSHENG 7  PDA.exe 2 7->13         started        16 cmd.exe 1 7->16         started        18 MV HONGSHENG 7  PDA.exe 11->18 injected signatures5 process6 signatures7 38 Installs a global keyboard hook 13->38 20 conhost.exe 16->20         started        22 timeout.exe 1 16->22         started        process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1103c8bce611da075ffa20426295a4f84b2409378c774dc32ca9edf968cd8a29/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-05 06:31:32 UTC
AV detection:
8 of 48 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ceb4rphgchnaox72ebbgffne7bfsicjxrr3u3qzmvhw7s2gnriuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0007311d7ccdb22d05e828edd39abec574f7f18b6f7ad9262acd1e76a6f4b7de
AgentTesla
0063947555fada876477c4e186d19517a3894d56153477590b0d6367ec80fe2d
AgentTesla
1b467c02c56a9130e3fb9e62e0ee62aa6b950845c9858f95656e659b814699c3
AgentTesla
21bd5e4845c12f0601ae8988314a461339e03e78267cac80f4a34ce93ad404ab
AgentTesla
2e525c09344f83f1f77d92e492a3fe75158e5424dcc22be92a45870168275879
AgentTesla
3bb4ba1af57ec635228b43c11b676612091f37e15b6578fca48e9a14195a9cd5
AgentTesla
566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
AgentTesla
7b4b43d22be88ed3b2054ef7090ebb7b44ecc03dffa6c32e578002c9a12cbea8
AgentTesla
d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c
AgentTesla
dbc70bcb3cd5eae9a25f1c842c1e92fd9e879dcc1cd2c6221ea472c99a41b468
AgentTesla
+ 3'756 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210405-zv967w4h46/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1103c8bce611da075ffa20426295a4f84b2409378c774dc32ca9edf968cd8a29
MD5 hash:
b7a9f6dbd9f853af91f2efe391e8be04
SHA1 hash:
e1b8db8001856058c19c2725027b25992fbed0e2
Link:
https://www.unpac.me/results/6b526dd0-0b9a-4afa-a4b6-d19095c3a6bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1103c8bce611da075ffa20426295a4f84b2409378c774dc32ca9edf968cd8a29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 08ef33dfef9ce4b362eca4964cb3fd3345688de2e45a3aae2d26dcfda45b93a2

AgentTesla

Executable exe 1103c8bce611da075ffa20426295a4f84b2409378c774dc32ca9edf968cd8a29

(this sample)

  
Dropped by
MD5 b967722c59b654c6629f40b5d567be34
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 08ef33dfef9ce4b362eca4964cb3fd3345688de2e45a3aae2d26dcfda45b93a2
Cape
Cape
https://www.capesandbox.com/analysis/132156/

Comments