MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12
SHA3-384 hash: 1c5e5e139943f42412f5d648954c2a73b81adfb00c600b5a1b91b39ec79a62f736dc3feba3fa540b47f74af0664ffd4f
SHA1 hash: 11523915c823004e1637add6ce8c4c50bccf78a3
MD5 hash: c507b9ce19600de1313c196618211338
humanhash: foxtrot-georgia-glucose-sierra
File name:Inquiry PV-008-19.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:27'136 bytes
First seen:2021-04-06 08:21:03 UTC
Last seen:2021-04-06 18:56:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:lviqGZZwbFLEF7HgcDnmKYGbX8Q3XVdYaPE+4lBdSXpSXFCSXN/d37ReT7:zIZOLN04j0tP8//oX
Threatray 151 similar samples on MalwareBazaar
TLSH 52C27401E6E0F67AFCD87A3BCC16C0646D6976C63217E5AF15E90A3360429284D92DFF
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: perfect-ventures.com
Sending IP: 103.147.184.72
From: Knaik Naik <knaik@perfect-ventures.com>
Subject: RE: Perfect Ventures inquiry PV-008-19
Attachment: Inquiry PV-008-19.7z (contains "Inquiry PV-008-19.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry PV-008-19.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 08:37:12 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/af47c387-29d1-4a8c-aa69-0e73195521c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132634/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.7277.23734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a UDP request
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bec475a5-80be-4515-9c8e-07918a875779
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/667315
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382586 Sample: Inquiry PV-008-19.exe Startdate: 06/04/2021 Architecture: WINDOWS Score: 76 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 Yara detected AgentTesla 2->39 41 2 other signatures 2->41 7 Inquiry PV-008-19.exe 21 12 2->7         started        process3 dnsIp4 33 asdcqwdwqx.gq 104.21.15.11, 49697, 80 CLOUDFLARENETUS United States 7->33 27 C:\Users\user\...\Inquiry PV-008-19.exe.log, ASCII 7->27 dropped 29 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->29 dropped 43 Adds a directory exclusion to Windows Defender 7->43 45 Hides threads from debuggers 7->45 12 AdvancedRun.exe 1 7->12         started        14 cmd.exe 1 7->14         started        16 powershell.exe 25 7->16         started        file5 signatures6 process7 process8 18 AdvancedRun.exe 12->18         started        21 conhost.exe 14->21         started        23 timeout.exe 1 14->23         started        25 conhost.exe 16->25         started        dnsIp9 31 192.168.2.1 unknown unknown 18->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-06 08:21:38 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cq2bm73mhakunbtyom3emefsbs7bsrxkospwxx4cvqmekokrzqja._file
Verdict:
malicious
Similar samples:
00012e2de7a1a2dcc2f2d0fbecd6158ac2a2b2804088cf2ea03ce59931b4aa09
AgentTesla
174d9ba2e89f897d84a612d59117d349773c91f129aa8cdb8ad8a29d576fa8af
AgentTesla
1a2beaadeb5f9bc79af30c8a9e458bff69d4b481b305451afe68d0f1a9074da1
AgentTesla
1b7afa2a07f65c2cb04454ba72f066bdc4daf640ad3b75cfac5fe82eed6c2c76
AgentTesla
5242c4552e512707dbeb3b004cb441cc140b6cfe813a4d6532f4adec03bcb23c
AgentTesla
5abccf199b1e503db7c810a9dcbe1310b6a6b78441b091dae6f45c92d3c3add1
AgentTesla
766aab7b9f0e374b2e8810bf5c3e2c60aa28fa968112dff3634bbdbdc3f0a490
AgentTesla
a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
AgentTesla
c73b434afd1074cd367b181cedd3cb55e69bb5d12594c3d2101d0b87c56e1013
AgentTesla
d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3
AgentTesla
+ 141 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210406-hfejpqrzjs/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12
MD5 hash:
c507b9ce19600de1313c196618211338
SHA1 hash:
11523915c823004e1637add6ce8c4c50bccf78a3
Link:
https://www.unpac.me/results/0d8a2877-e5a6-420d-8044-98657da779a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 87ea6fb1fc1223e369459185cdb2933847f6ad84ae2ac2f5048a36c38e865178

AgentTesla

Executable exe 1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12

(this sample)

  
Dropped by
MD5 9f5458d9c8fca99bd8ab7ec6d16f9089
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132634/
  
Dropped by
SHA256 87ea6fb1fc1223e369459185cdb2933847f6ad84ae2ac2f5048a36c38e865178

Comments