MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b495eccb1dd110b035b72e2d4445820c9a5f445620394f606ae72e621a9b547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	1b495eccb1dd110b035b72e2d4445820c9a5f445620394f606ae72e621a9b547
SHA3-384 hash:	5c5d54019a2699c182592db92a05641e4c5e5b0d16a18cc2ce6139a5f5cd0995e71d0947e7f912fc42666f089b6542cf
SHA1 hash:	96b9914494ec7a1894aa9803e1793e5f4537e52c
MD5 hash:	e6fc2e55bbc8bc295bbe4a6f2d4ae919
humanhash:	queen-cardinal-thirteen-fish
File name:	TNT Original Invoice_.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	138'240 bytes
First seen:	2021-09-29 09:46:56 UTC
Last seen:	2021-09-29 19:16:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:R6ehvcaRRqWidIdRVMsw9h7S0h0CTXYmvFMQ4b1LfB:RfJQ9dIdFwb7S0hYmuQ4pf
Threatray	500 similar samples on MalwareBazaar
TLSH	T108D3280277846B41C42419B0C5E7673403F3EBCB76B2D2893E4546DA1E42BEA9D9AFCD
File icon (PE):
dhash icon	e884030dcedeb4e8 (52 x AgentTesla, 20 x Loki, 6 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla exe TNT

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TNT Original Invoice_.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-29 11:11:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/61e3ae6f-3cea-424c-9847-05ba67f6413a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/193071/

Detection(s):

SecuriteInfo.com.Malware.AI.3217204580.15440.22317.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a63a8fbe-1aa2-49d2-b2bf-3bdc75d9de4e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/860792

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b495eccb1dd110b035b72e2d4445820c9a5f445620394f606ae72e621a9b547/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-09-29 09:47:28 UTC

AV detection:

14 of 45 (31.11%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dnev5tfr3uiqwa23olrnircyede2l5cfmibzj5qgvzzominjwvdq._file

Verdict:

malicious

AgentTesla

0aebdeb98f747dd7c32f0a3644e392fc859be7728d125510ee59ce790d4e93e6

AgentTesla

500db2ef97a164d00676ba3cff04cf5a34962220a2577ee9833333ebc685c807

AgentTesla

7d7f39ea140c1d58a017ffdd969c8a6f6201bfb578b4090b1e4588be84a7e29a

AgentTesla

93fad7701df9ff93bd4099e35acf33ccaea74bc1dff47fb2920991b6959f98bd

AgentTesla

956bd054893f8940d72ec94175b2f063ac759a1f9cee3a0cad7eb3b7871bae2f

AgentTesla

b17bfed7ccb65140f22de398cfcb56faa877dd36410bac51453f8ad9f1537bda

AgentTesla

e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8

AgentTesla

+ 490 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210929-lr8d7aede4/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Downloads MZ/PE file

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

1b495eccb1dd110b035b72e2d4445820c9a5f445620394f606ae72e621a9b547

MD5 hash:

e6fc2e55bbc8bc295bbe4a6f2d4ae919

SHA1 hash:

96b9914494ec7a1894aa9803e1793e5f4537e52c

Link:

https://www.unpac.me/results/fc6291dd-8a94-4327-8ea4-e98f8599013b/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1b495eccb1dd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/1b495eccb1dd110b035b72e2d4445820c9a5f445620394f606ae72e621a9b547

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193071/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample