MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 135611f4e9427dd48f81e3970edef5aa35800b3a85b1f867abb84bcb5372239c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	135611f4e9427dd48f81e3970edef5aa35800b3a85b1f867abb84bcb5372239c
SHA3-384 hash:	8630bd8267774d1285d4822f2289555a888ca8e85a6c669f1d5dec3b903f83051eb2a383c5f0673ce810a43835924115
SHA1 hash:	8adf6fec52e162c121db3f7f2038d5dc5064c18d
MD5 hash:	f37983dabf95d4549510cc7d2d9708a3
humanhash:	ohio-william-dakota-august
File name:	Payment Advice.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	677'888 bytes
First seen:	2022-05-10 22:17:40 UTC
Last seen:	2022-05-11 05:51:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:rsu9Wa7xLCAVHBDEggSy7A9Dv1u+CaTQrt/Cd0UYEcfk:Iu9WmBta09w+CGAt7qEk
Threatray	17'270 similar samples on MalwareBazaar
TLSH	T19DE40204B37497A5C43E07F86932895107B47C2BEA22E75E0EDEB1EF1973B410A46E97
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Payment Advice.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-05-10 22:23:28 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/9620c65c-0fdf-41ac-bb07-a9565948848e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/269546/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.331.14608.4000.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/627ae4a4b119a5f609b8b13f/reports/0971d4ae-e0f8-4788-97b1-9655a1dbd09d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0b5049d1-04ac-4335-b57e-bfb2c07e7150

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/991485

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/135611f4e9427dd48f81e3970edef5aa35800b3a85b1f867abb84bcb5372239c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-10 22:18:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cnlbd5hjij65jd4b4olq5xxvvi2yacz2qwy7qz5lxbf4wu3seooa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3dce04c59550966c479e183f8faf51355b8741c8aedfae1a934b2ebe7aab17f8

AgentTesla

47f66c434fd02690b1847b161ac20e46f5cb2ec9050a961cac72997a548e75d1

AgentTesla

49a53fb698c6608f315ec4176b93a2334e99cbcc3bb37fab5d3062bc390961f4

AgentTesla

4e6704724e2218ac123163b44edcc4f34555cddaf9d5fd4afef51617918bdb9a

AgentTesla

5db110dfb57b23725b541beb1cf53e421e94ad03e87b33c8471c96f6a7e3dadc

AgentTesla

9213771d3c5189ae487f47c552a34856d2298ed22aac305bc5f29c03212312ea

AgentTesla

caf547df46387b2df2669cc740f45af18c8660a2132542bdd9769466947cc43a

AgentTesla

f9a91c1c89539f9482408b13a207fee4206438a9a310b4bd81d1884f5f5096b7

AgentTesla

+ 17'260 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220510-17xd7accfl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

74ae8795497cc535664a8745b76b3e4687626df1b828997ff024e9b6290429fb

MD5 hash:

b27354b605ae21c959affed0adb1530a

SHA1 hash:

b1cb83a197519df6b830c50234f195a8adae0c6c

Link:

https://www.unpac.me/results/a75d9295-43bd-4f9a-845f-21a2611461a0/

SH256 hash:

91c53ea2ac456f1cb0cc7aaee1995b5426939d4e2b07991a2716e8d0d9d5b2b9

MD5 hash:

2d117ebc7441014883a084b522c3ddcd

SHA1 hash:

6e5fc2f072369a810c6ae4e84b92e95e61e7017e

Link:

https://www.unpac.me/results/a75d9295-43bd-4f9a-845f-21a2611461a0/

SH256 hash:

1ce1a82075f0d8c4c1ec4f44b2a38374ccdec6dee03ceda2ad9519d2ec9f7304

MD5 hash:

1e27970634ef0930dbfda080f2902d7c

SHA1 hash:

480d099bbe3a14bbda3733c541a4fc3a4810926d

Link:

https://www.unpac.me/results/a75d9295-43bd-4f9a-845f-21a2611461a0/

SH256 hash:

417fbf6ee0491d2b11145ec9e3f64a7231de4d86c151d38c9b6b8eed0912b98e

MD5 hash:

e6417e4f40bf0980689a4b794a793ce2

SHA1 hash:

b6ed944ac449a6102fb5badf4eae34f37054565a

Link:

https://www.unpac.me/results/a75d9295-43bd-4f9a-845f-21a2611461a0/

SH256 hash:

135611f4e9427dd48f81e3970edef5aa35800b3a85b1f867abb84bcb5372239c

MD5 hash:

f37983dabf95d4549510cc7d2d9708a3

SHA1 hash:

8adf6fec52e162c121db3f7f2038d5dc5064c18d

Link:

https://www.unpac.me/results/a75d9295-43bd-4f9a-845f-21a2611461a0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/135611f4e9427dd48f81e3970edef5aa35800b3a85b1f867abb84bcb5372239c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.