MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b54c0c81ad125c0f59856c326b08527a95081b578b2afc0e587884b11200e3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b54c0c81ad125c0f59856c326b08527a95081b578b2afc0e587884b11200e3a
SHA3-384 hash: 80237d88644143a80a8a42fdf76f1b8ea7eab6ba9dd697a76637936a4c48d60e4abb19ad72a82130759b3bc234d72c0b
SHA1 hash: a0df1c5aaa9d3d78067f4c38866ce50e0d5d51f5
MD5 hash: bfb3e62256b847013b1bc417bd718a79
humanhash: jersey-social-item-one
File name:invoice payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:468'480 bytes
First seen:2020-11-19 08:23:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e617ab7e8f8469efcd6cb187d3073a1c (3 x AgentTesla, 1 x Formbook)
ssdeep 6144:IADmsOVIaSggLyojo4GJWAKcsulT86oXLN6mdbvZMBTjL4WLu3pARL:IABOGajgrGQAxs+TpoXLrQL9uORL
Threatray 1'395 similar samples on MalwareBazaar
TLSH D5A4D021FAC0C031E6AA437514F55B61E23DBC321F72E5A7A3983B6E8E701D26376653
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: host.gtoolswebmail.ga
Sending IP: 52.152.234.132
From: user444@gtoolswebmail.ga
Subject: RE:Invoice Payment - TT Copy Attached
Attachment: invoice payment.rar (contains "invoice payment.exe")

AgentTesla SMTP exfil server:
smtp.scientificlevel.com:587

AgentTesla SMTP exfil email address:
info@scientificlevel.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.9210.5985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/542539
Signature
Contains functionality to register a low level keyboard hook
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b54c0c81ad125c0f59856c326b08527a95081b578b2afc0e587884b11200e3a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 08:24:06 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnkmbsa22es4b5myk3bsnmefe6uvbanvpczk7qhfq6eewejaby5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d77a7855565f1f714311f0b3fddfa7a924e833f4723bdb0cb6a7d28e910844a
AgentTesla
119ea5a2268265102382111254f38977bbdc06c4fb7d51f4ad21d248596bff1a
AgentTesla
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
53c1425f389198255d64a1654f9e03fc92d28ca53937f75edec2c500d9373c76
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
ccf7cbe501b4e91d8f020fb061bbb24167316704bb9566aed6a6a5bc36df3d73
AgentTesla
ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
+ 1'385 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201119-12x1z1s3hj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
1b54c0c81ad125c0f59856c326b08527a95081b578b2afc0e587884b11200e3a
MD5 hash:
bfb3e62256b847013b1bc417bd718a79
SHA1 hash:
a0df1c5aaa9d3d78067f4c38866ce50e0d5d51f5
Link:
https://www.unpac.me/results/a0c8343e-e4a6-4e39-840b-2ef0baa06fcf/
SH256 hash:
c339a24d9b91e96ed3819186489687386d07e5a81ff5ee1910c9a4d795e05fa4
MD5 hash:
52448208db962dc82fb17fa75b31c598
SHA1 hash:
77ef57a800c38a9bc5c2609af6eaf9943abe0fd5
Link:
https://www.unpac.me/results/a0c8343e-e4a6-4e39-840b-2ef0baa06fcf/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 6d334fca4d49f94001f4022c230a2b482730cbb9b73b6e226789d3ee2e7ab731

AgentTesla

Executable exe 1b54c0c81ad125c0f59856c326b08527a95081b578b2afc0e587884b11200e3a

(this sample)

  
Dropped by
MD5 6ad457bb8013c8dbc4f84e53ea029240
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6d334fca4d49f94001f4022c230a2b482730cbb9b73b6e226789d3ee2e7ab731

Comments