MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 142f1396f4d11d41d8c01740fa8446073ff2795ae40b0f6c4cd034f4cf0e9ef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	142f1396f4d11d41d8c01740fa8446073ff2795ae40b0f6c4cd034f4cf0e9ef4
SHA3-384 hash:	e792e6de2e36eab82d010e5c0a16a26a07539d75f327fa858dcb74bbde598f351f316f04902f1aec4ef60b8623cdbdda
SHA1 hash:	91d6816d8ada5c4c1448a14fa9dbd9c37612106c
MD5 hash:	368ca84d3193a2a6d65ba61b9dcba004
humanhash:	sink-kentucky-illinois-winter
File name:	P-O.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	980'480 bytes
First seen:	2020-10-12 14:42:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:kl6KqR6sYsEUP4/gdnKx1OaXPLny8VODYgF:klxjsYsEUjdnmTfLL
Threatray	31 similar samples on MalwareBazaar
TLSH	3625F16126A99F87E0BD5BF50224129003FA3E6B396EF21D2DC629EF19B5F414601F73
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: amerpipe.com
Sending IP: 185.222.57.73
From: Accountant<sales@amerpipe.com>
Subject: FW:Re:Re:Re:P/I
Attachment: P-O.zip (contains "P-O.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70115/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42621.18275.20928.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/488538

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/142f1396f4d11d41d8c01740fa8446073ff2795ae40b0f6c4cd034f4cf0e9ef4/

Threat name:

ByteCode-MSIL.Backdoor.SpyNoon

Status:

Malicious

First seen:

2020-10-12 10:48:47 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cqxrhfxu2eoudwgac5apvbcga477e6k24qfq63cm2a2pjtyot32a._file

Verdict:

unknown

AgentTesla

054b7c5d38a00ecfc40168d4dc21610139c5ab6a46d2a0e851ef100397d5e5e9

AgentTesla

15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76

AgentTesla

19bb5246a84d821d1d51156b664d58f544ad7c0a2898b31472db6c7ec952cff8

AgentTesla

1fb23de8da95ef200663ec6bffe9a439b6c39927559b5e103a488cf54355ebad

AgentTesla

35053de930782e8179e3721c8927c499b71dc9926db872b722fe8b5ec5b300b2

AgentTesla

37fa0d1153831bdf8c08560d18a83afc2ccede848883819536eb81497c63229f

AgentTesla

388d492a064de7f9de994a61e1262feaad2fec491ab9b572b5ce87713d0dd1e3

AgentTesla

792259d9e6e262d17cc54f4b43c8e95cd0be1e533f5e5032a5cdefb9f899a6a2

AgentTesla

f4b7759a1a42ebd89a61ed697ca26661dff56719bbf254b7b1f400f3cf4487d1

AgentTesla

+ 21 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201012-cm2e2pzcws/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

142f1396f4d11d41d8c01740fa8446073ff2795ae40b0f6c4cd034f4cf0e9ef4

MD5 hash:

368ca84d3193a2a6d65ba61b9dcba004

SHA1 hash:

91d6816d8ada5c4c1448a14fa9dbd9c37612106c

Link:

https://www.unpac.me/results/9cd458ac-303c-42a9-85ee-8e59384fb317/

SH256 hash:

2c57051d9214c2a65705392d5d5c67a1b0783bb9f19ffa40d7c7150c048ad974

MD5 hash:

11b2710f880f7db8af0b79eb986b41a7

SHA1 hash:

4991f78fe3e935ce7f10436d3a46311d6a9d8e75

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/9cd458ac-303c-42a9-85ee-8e59384fb317/

Parent samples :

142f1396f4d11d41d8c01740fa8446073ff2795ae40b0f6c4cd034f4cf0e9ef4
f6eb194eb12a91379a545ef1118eb2428e1f8a011a18471648e5d2a4abef0053

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/9cd458ac-303c-42a9-85ee-8e59384fb317/

SH256 hash:

bad1c1a0ed720f3bd4d08f5b458c4d0ae015d5ee12cb5111a429d7db519ec410

MD5 hash:

8202d81d61b876fac328b9511fe83a87

SHA1 hash:

9a3e948591c1b8f2c103d2caa1819d1e34aaf664

Link:

https://www.unpac.me/results/9cd458ac-303c-42a9-85ee-8e59384fb317/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/142f1396f4d11d41d8c01740fa8446073ff2795ae40b0f6c4cd034f4cf0e9ef4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8d23a37dd40ce0ea6676bc11fa658b7d31b13cff9aa02f32c8b5b6dc4c7551dc

AgentTesla

exe 142f1396f4d11d41d8c01740fa8446073ff2795ae40b0f6c4cd034f4cf0e9ef4

(this sample)

Dropped by

MD5 b3c0d75a47dc143862d9f148f8c132b0

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/70115/

Dropped by

SHA256 8d23a37dd40ce0ea6676bc11fa658b7d31b13cff9aa02f32c8b5b6dc4c7551dc

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample