MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a5a08c7cfefde6739ef81d6a86be97cd1878077f7bc660e16216d1e22635ac3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	1a5a08c7cfefde6739ef81d6a86be97cd1878077f7bc660e16216d1e22635ac3
SHA3-384 hash:	169d699c8950c2bb9db99b83d70e2d4b95cd5e42213b3b3bbbd6483e64e1a4d5c3f8598802643ad0d2c5a38da1a4228a
SHA1 hash:	1ad2dbcbdc95f82e69aa2a76ed360e4cb4322301
MD5 hash:	80f57f4be535787ca205a01872e850f8
humanhash:	black-sweet-mango-nineteen
File name:	PO002307014_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	576'512 bytes
First seen:	2023-07-27 10:14:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:Idtj8Q+z7W7xwMH4CFO0NaKSpTl7Sj7TJzfNuBbh+XqKT:IsQ+z7NJl7KJzfIbh+T
Threatray	14 similar samples on MalwareBazaar
TLSH	T1E1C42311C9685642C2A576BC431C559843F4E2F92560FBCA1ECBA486B7BB3E1CF79133
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

PO002307014_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-07-27 10:20:33 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/0f86ea02-64c1-47a3-86f8-08d436301c4b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/434761/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68378690.124.12659.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64c243b5907b8030b17b6a7e/reports/5daec0df-35de-4090-861b-9bdeea29923c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1a5a08c7cfefde6739ef81d6a86be97cd1878077f7bc660e16216d1e22635ac3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/92a970e7-38e3-4056-a4bf-b6b54c19997d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1281051

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a5a08c7cfefde6739ef81d6a86be97cd1878077f7bc660e16216d1e22635ac3/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-26 23:29:58 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=djnarr6p57pgooppqhlkq27jptiypadx666gmdqwefwr4itdllbq._file

Verdict:

malicious

AgentTesla

1201be819db6d09ce9bd23656c5bbd7430e0420f30c39afe37b3a4662581f143

AgentTesla

22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4

AgentTesla

4c9b551910643eb2c5a4adaf517f41cf1c5035c1526b11f108accd970e675e31

AgentTesla

6ffc1ae20840871c7ab6129cbe4f0c6a72b13abb27b9b76a0fa4bae366ea1beb

AgentTesla

950e8cfed90f2e567f20f1ba663e2a172596b96670da2f7b91ead407fc64fa77

AgentTesla

a26842becdd6ced8f2b44de90122dbd4cc027348b569ef32703749bac877ca6f

AgentTesla

b7c02d80a783e31957b0bcecf56c7fbec20dc513d021e7c814df913fe01fd491

AgentTesla

c030774b49428397cadf15f5a7b08e8fcfde4920705b0790b8b83cdcb3456956

AgentTesla

+ 4 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection

Link:

https://tria.ge/reports/230727-l991qsea57/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

1a5a08c7cfefde6739ef81d6a86be97cd1878077f7bc660e16216d1e22635ac3

MD5 hash:

80f57f4be535787ca205a01872e850f8

SHA1 hash:

1ad2dbcbdc95f82e69aa2a76ed360e4cb4322301

Link:

https://www.unpac.me/results/65c90059-2fb8-4145-bbbb-133a149b39d1/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a5a08c7cfef/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1a5a08c7cfefde6739ef81d6a86be97cd1878077f7bc660e16216d1e22635ac3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 1a5a08c7cfefde6739ef81d6a86be97cd1878077f7bc660e16216d1e22635ac3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/434761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample