MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 148b579256368d2476633e68953ad1006c692ce60f14d18425dd119fff30ecd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	148b579256368d2476633e68953ad1006c692ce60f14d18425dd119fff30ecd1
SHA3-384 hash:	1a2d159145cc9132802105e77e6ab047decb490573d9999e51ae6f0871f075d389de9b4896bf4aa03a7265a7a24bc802
SHA1 hash:	a1e90ed5f48082041f8d599c11dcab7f04fff502
MD5 hash:	ba93f51cf20fe7c33a7ccb0ed0681c65
humanhash:	moon-eleven-maine-mars
File name:	PO CPO 67GXD-345.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	683'520 bytes
First seen:	2021-07-31 07:46:07 UTC
Last seen:	2021-08-03 17:11:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:oxd2Sp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXwBhPChjX:3IdUXlafsKqN5TWKi8o+FFYxxl
Threatray	7'659 similar samples on MalwareBazaar
TLSH	T1D3E4DFBB079C4A27FB7EC4797A90F40AFBA199D2BB119D4FC6C764C11517A0221C6C2E
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

766

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO CPO 67GXD-345.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-31 07:49:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/88a7300f-784d-4fd6-a4a8-71a01dfa6078

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175419/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.EYB.genEldorado.6619.31589.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/749d65e5-a0d7-4208-aa8a-96f0493bfeb1

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824837

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/148b579256368d2476633e68953ad1006c692ce60f14d18425dd119fff30ecd1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-31 02:13:07 UTC

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=csfvpeswg2gsi5tdhzujkowrabwgslhgb4kndbbf3uiz77zq5tiq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3bd0c04ee4c4ba078c54f4e7f5f956894204b2ccfbe84cdf934c40b28e30165e

AgentTesla

8a61b2bcfc5f2663772aac693d9bf4f2bbeb5cf08b9ca0873250530cfb5baff0

AgentTesla

9829d39cbbfccc4142a5374e10f03470f60ea6e1f8a927b2516c8166f9b97f69

AgentTesla

9b49a9b7baa2dd6642fcc3c97976f6f1ddb0f8d6b4261ce4b32583c75a572e4e

AgentTesla

9f7839d9c6a416498f9db038182face0e857a56e83ecf1902c2c664bb1269faa

AgentTesla

f04d5b287971f60d5f04b262f3714a790b7d7c9b591ab88faa1d1f5244792d09

AgentTesla

+ 7'649 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210731-67qh671cmj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

cd2a17383d475ca6a98632280165b10f877de9968511e9cd860f60b03a95a5b7

MD5 hash:

06daacde664330a3bb376d1727831d5d

SHA1 hash:

f751043ae03d0611dd7a0c6933c7bb8aa5fcd546

Link:

https://www.unpac.me/results/ac66564f-3e65-43c4-8c82-b1d9486b40bb/

SH256 hash:

c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b

MD5 hash:

0327d1374a5ce015ad9c83c5de76e823

SHA1 hash:

e521349d9e96a4191248747c42c78b6f88fc8f63

Link:

https://www.unpac.me/results/ac66564f-3e65-43c4-8c82-b1d9486b40bb/

SH256 hash:

ac2119666075ba489cbbe7ea6668bb0b337f4d1d77eb70fc764e24dc2e65f959

MD5 hash:

f28b65c13fb20c36c37d2c1eb5477d2d

SHA1 hash:

56926008114c61f872ac3bb20c1db4b29571f28c

Link:

https://www.unpac.me/results/ac66564f-3e65-43c4-8c82-b1d9486b40bb/

SH256 hash:

148b579256368d2476633e68953ad1006c692ce60f14d18425dd119fff30ecd1

MD5 hash:

ba93f51cf20fe7c33a7ccb0ed0681c65

SHA1 hash:

a1e90ed5f48082041f8d599c11dcab7f04fff502

Link:

https://www.unpac.me/results/ac66564f-3e65-43c4-8c82-b1d9486b40bb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/148b579256368d2476633e68953ad1006c692ce60f14d18425dd119fff30ecd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175419/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample