MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11158aa236a07183547892ad906115d89ef9e2563f0fe56cc77dcef8bc581129. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 8 File information Comments

SHA256 hash:	11158aa236a07183547892ad906115d89ef9e2563f0fe56cc77dcef8bc581129
SHA3-384 hash:	b1586ab64062cf257e058f02bbce313734e7cf123d0c0081c6944d4c3eaffe4dc53c97618674194a174be6680ad50e7e
SHA1 hash:	e8dec8fbb25adab42b8e1b348c76c340f73a9e4a
MD5 hash:	aa5331d032f2cb76f3295818c9533f52
humanhash:	fix-dakota-jig-friend
File name:	ARRIVAL NOTICE_4051896202736.xls.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	285'184 bytes
First seen:	2021-08-09 14:16:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:2p1ijDCGvBowm8sokmuSmxH4mp4U4x56MA6JrFeqr1ewQvzOk4vfiCbRby:2ACsB/m19WjA+hQvzOkaiCbV
Threatray	8'098 similar samples on MalwareBazaar
TLSH	T13A54AF51AA030857C67C633BD297963FA3E0C9B6D331C58B7B8613D6AD4A5422EF93C4
dhash icon	8f43484c4c4a418f (10 x AgentTesla, 1 x Formbook)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ARRIVAL NOTICE_4051896202736.xls.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-09 14:18:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5a75e4a5-5df7-4283-8cf9-1c75cf9ee993

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/177614/

Detection(s):

Win.Dropper.Nanocore-9831995-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Creating a window

Using the Windows Management Instrumentation requests

Sending a UDP request

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/448d197f-1218-44f4-8413-8e42aca995f2

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/829723

Signature

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11158aa236a07183547892ad906115d89ef9e2563f0fe56cc77dcef8bc581129/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-09 09:35:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 45 (48.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cekyvirwubyygvdyskwzayiv3cpptyswh4h6k3ghpxhprpcyceuq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1f57778e5448ce6d8834f523299fc5ba868636556c993a4b5f3faabacb36c993

AgentTesla

359de4e28b1286f601c3d8cc5987ff8f81335f049411f00d99496c2f56bbade0

AgentTesla

9fcdd20c1848723a889fd4ebb88e52a2cb9fae8ec9e8cfe70d8e9706ef3e8992

AgentTesla

a51412351320c2876dc38780b18441bbc160c6a0fa21bda69330eeaef1fb6ca6

AgentTesla

d47da005885b968328d25d493a11e0fe3a146c9103f24b0de735a02b117c6a4b

AgentTesla

e433b3cc952fec02984b9d3678ab71f9e168a5616550f44e7ab3b0548d01ed2e

AgentTesla

e860f949006657d88539f009376c3b6ed3947e81ddd1dcc2253f0c27b1945806

AgentTesla

+ 8'088 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210809-3qydfcry32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

076f2ad155836391d7961740ec4a3288d6b0b84832be15557dfaca4f802aeacc

MD5 hash:

8e960c59402985e5e6cdd7b2c52eba3c

SHA1 hash:

a0be927a42045ea0109a62ca55a279aed6137989

Link:

https://www.unpac.me/results/0884160c-4d1e-47af-a75e-0beabee4ff11/

SH256 hash:

57336706478efc043edff9cdd5eda86833746509360d35dd3ad5256597918b8b

MD5 hash:

87ab6ca28e4344c1de7a7da9bb404566

SHA1 hash:

974f3ed2df80ed63fb605a1cc3c11f0c49cfd02b

Link:

https://www.unpac.me/results/0884160c-4d1e-47af-a75e-0beabee4ff11/

SH256 hash:

11158aa236a07183547892ad906115d89ef9e2563f0fe56cc77dcef8bc581129

MD5 hash:

aa5331d032f2cb76f3295818c9533f52

SHA1 hash:

e8dec8fbb25adab42b8e1b348c76c340f73a9e4a

Link:

https://www.unpac.me/results/0884160c-4d1e-47af-a75e-0beabee4ff11/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/11158aa236a0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/11158aa236a07183547892ad906115d89ef9e2563f0fe56cc77dcef8bc581129

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/177614/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample