MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967
SHA3-384 hash: 94a5b2296307686797730488be3ac0db9d22c70f7a242f1d44fd2aca8356bef46be13f4f4daa546bdc4fcc66c380419a
SHA1 hash: 67a42ae1a71428cfb3d138c196a3996cd851dbdf
MD5 hash: 06a745b1189c958edbe3145896141351
humanhash: kilo-social-vermont-vegan
File name:Comprobante de transferencia.com
Download: download sample
Signature AgentTesla
Create hunting rule
File size:456'192 bytes
First seen:2021-01-06 16:33:46 UTC
Last seen:2021-01-06 19:04:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 31c815897a3b55d8d8afcee958fa181c (3 x Formbook, 2 x AgentTesla, 1 x NanoCore)
ssdeep 6144:DNrLL3ZbqFpa0o5XdqZkWgbhYUNU24tgSe8Yy2jz7GbqMCbZ7rnLW54t8SaVzzzT:DVZsUDYE0eqOMkpabz3it8iC0axbj
Threatray 2'244 similar samples on MalwareBazaar
TLSH C0A48D26B3C8F696E18104B87105FFAA50613C34696EC847F7C17B6B38625EE9A05F1F
Reporter abuse_ch
Tags:AgentTesla com ESP geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.osmispee.com
Sending IP: 45.85.90.199
From: Javier Sánchez <comercal@gervasport.es>
Reply-To: Comercial' <marcusdrnd@gmail.com>, Javier Sánchez <yos.afffandi@gmail.com>
Subject: Re: Justificante de la transferencia
Attachment: Comprobante de transferencia.rar (contains "Comprobante de transferencia.com")

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Comprobante de transferencia.com
Verdict:
Malicious activity
Analysis date:
2021-01-06 16:47:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/050c41e9-8264-4c8b-8dfa-5d35d0086915

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110759/
Detection(s):
SecuriteInfo.com.Artemis06A745B1189C.31963.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/575291
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 11:24:45 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cixp4l2337d5744de6ngitvjqlvuljy5fcts2wxznltgduztpftq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fdcf2e9b24b61f7772652645c29ab2f0e1368fc3d83dfa6f206a4dae1b21ad6
AgentTesla
160bb1d1ffcdea76c664adfeed64f6fe3e16285baf9c4336ebb0caeddfcfd931
AgentTesla
2565e3190558400fb85b0389e7aadf850a4c32d2b7b7d09e37820b8ad361c39a
AgentTesla
2b128560da3f57b305996b0447be082b0a7d40d10ed3000c931c13c6f9ce8661
AgentTesla
2b68292613b0256903e4f2e98813f8f2bb352317e126aa0c62d24f814c642125
AgentTesla
3b274112221489ff1408360fbd3b4d691e5d0b10a28399fd2c4690336e6e9cdf
AgentTesla
769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52
AgentTesla
b0cea585c416540b6820f91a0c1cf8d8eb6776ec0cecce0709cd2c22f15f7cc3
AgentTesla
b5aeb6d277320df561d9bb77a95e976c5527c17441292ec7b5bafc441fe746d0
AgentTesla
be48a66b718f94c2379453ff845e0047504573e3c0e1a9f7ab3011dab1c06b57
AgentTesla
+ 2'234 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210106-maz5kb1ykj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
77241910cc4d20d7d73ce22387634c7e4cec472163c982cc182737c26a79dfa3
MD5 hash:
7bf4dabc3ca4b1c28be74b18aea17cd4
SHA1 hash:
38f569222997d652a5572bc67644b79755798e27
Link:
https://www.unpac.me/results/841e0536-b9bf-40a8-a88e-78da9f05bdd2/
SH256 hash:
deb3a40d0da0198ed3e151581b88b8f284c071fd14dbc1b8c6ca5c3967105bd7
MD5 hash:
2061fe7c625fa52f139ef82cc5a0e7c1
SHA1 hash:
a94160a2cea440b6a2a1883a90508d17c9cf3536
Link:
https://www.unpac.me/results/841e0536-b9bf-40a8-a88e-78da9f05bdd2/
SH256 hash:
122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967
MD5 hash:
06a745b1189c958edbe3145896141351
SHA1 hash:
67a42ae1a71428cfb3d138c196a3996cd851dbdf
Link:
https://www.unpac.me/results/841e0536-b9bf-40a8-a88e-78da9f05bdd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 96045eee3717f4f0f661f0de81f0ed1ac779305d8c03bfeaba6d15de30e55e47

AgentTesla

Executable exe 122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967

(this sample)

  
Dropped by
MD5 da47cdffd70c037d6ec10e5fb8503925
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110759/
  
Dropped by
SHA256 96045eee3717f4f0f661f0de81f0ed1ac779305d8c03bfeaba6d15de30e55e47

Comments