MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
SHA3-384 hash: b838147553013f1e08caea72297b7d510bcb69c7844b261758e8d7bae12adc1624cad5b4e6e746b6d936386512f9d374
SHA1 hash: 53c328632c7a7a493ad3f7010db6e32780879fe1
MD5 hash: 36b1b20862fed6560ede56489c71c4b9
humanhash: fanta-robert-stairway-washington
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:937'472 bytes
First seen:2020-10-06 05:27:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qZy1w0KflRZJ7NHaTrPxcjJLFN7DvvpJVxbBFfrdAhQb9o7vjx:1S0YRZJ76Z0JLfH1xVNrembk
Threatray 322 similar samples on MalwareBazaar
TLSH E815CF10968C0267F232D039A227D5786BB5DD865A04D2D52DE6DCBFFACFE98F4D0248
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68383/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482261
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293567 Sample: Purchase Order.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected AgentTesla 2->32 34 6 other signatures 2->34 6 Purchase Order.exe 3 2->6         started        10 pfYwXs.exe 3 2->10         started        12 pfYwXs.exe 2 2->12         started        process3 file4 22 C:\Users\user\...\Purchase Order.exe.log, ASCII 6->22 dropped 36 Injects a PE file into a foreign processes 6->36 14 Purchase Order.exe 2 5 6->14         started        38 Antivirus detection for dropped file 10->38 40 Multi AV Scanner detection for dropped file 10->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->42 44 2 other signatures 10->44 18 pfYwXs.exe 2 10->18         started        20 pfYwXs.exe 2 12->20         started        signatures5 process6 file7 24 C:\Users\user\AppData\Local\...\pfYwXs.exe, PE32 14->24 dropped 26 C:\Users\user\...\pfYwXs.exe:Zone.Identifier, ASCII 14->26 dropped 46 Tries to steal Mail credentials (via file access) 14->46 48 Tries to harvest and steal ftp login credentials 14->48 50 Tries to harvest and steal browser information (history, passwords, etc) 14->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->52 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 01:04:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c42h5jg2geshifpy3b2chwfqwa7kypbfys7nr6wfa4r6vorpnmca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
AgentTesla
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
AgentTesla
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
AgentTesla
60db9d2df465b5bfcf2d1c0a71559c57c561d0746a0f3fd7f4e8b9203871cfb8
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02
AgentTesla
eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f
AgentTesla
f23c845c6c2450e632e8894be99fe3eb8a6a42eedc749c593431665c18e37d03
AgentTesla
+ 312 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201006-je1y3glcxs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
MD5 hash:
36b1b20862fed6560ede56489c71c4b9
SHA1 hash:
53c328632c7a7a493ad3f7010db6e32780879fe1
Link:
https://www.unpac.me/results/757038bf-5a72-49b6-b081-6565352f2f8b/
SH256 hash:
1634fb56e55f84fabe58c7ab002614b3eead7b197c547e162c3e5af33cc16c74
MD5 hash:
42652f0c09b96e9b2ca54daa55709487
SHA1 hash:
17622f4f4bba7cab2e98b123e0639e9ef9aedc86
Link:
https://www.unpac.me/results/757038bf-5a72-49b6-b081-6565352f2f8b/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/757038bf-5a72-49b6-b081-6565352f2f8b/
SH256 hash:
d3d1c8a7c0f8b43fd4e0e60829286d1cf96c8cfef18fbd39603954a85ddf12d7
MD5 hash:
f66d57a4cd35eba44610f31f6e00f002
SHA1 hash:
b023c2a9f2b3e969cbefdcac1bdf3168bb0aa948
Link:
https://www.unpac.me/results/757038bf-5a72-49b6-b081-6565352f2f8b/
SH256 hash:
ec92d2c8000367c02ee06223808e78f9d0919109ce7dc2f9f46cc44554cc0377
MD5 hash:
d92571823ffe70e5425e03638a5161c9
SHA1 hash:
f7fb5de726e4e3e862969516cf11487b79f3ee6e
Link:
https://www.unpac.me/results/757038bf-5a72-49b6-b081-6565352f2f8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 35073f104c76640759c890c252c3537f0a523fc88e1815db28a7dd01fa4b5211

AgentTesla

Executable exe 17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 35073f104c76640759c890c252c3537f0a523fc88e1815db28a7dd01fa4b5211
Cape
Cape
https://www.capesandbox.com/analysis/68383/
Cape
Cape
https://www.capesandbox.com/analysis/68381/

Comments