MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb
SHA3-384 hash: 00320e2adfc9a85db755fd10d140bc0de64e6952f37c30f455f325178e41b0b0cdbcc01ccfc02f0e2c5aaab4221649e6
SHA1 hash: 36784ed68fcc6f7971ba83940f9a5d7e01782f75
MD5 hash: 295120aa43f8840484b314d94dfdf95d
humanhash: mango-vermont-coffee-fruit
File name:PEMSB1066804061020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:453'120 bytes
First seen:2020-10-07 16:42:24 UTC
Last seen:2020-10-07 18:00:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:FRAwnJ/0eSrnfZP2xlmE0+G16cSlYrZrpkVu+OjAaSN0HbJg9pzxAevs:LrKrnfkx30VyQpkVu+daS2+pzxAe0
Threatray 56 similar samples on MalwareBazaar
TLSH 81A46C26123CC7BDC9890D37E0A546A78796938B7065EEBD9F28FC9F7719702E0048E5
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ahorrochile.cl
Sending IP: 45.88.3.137
From: Valeria Nuñez <vnunez@ahorrochile.cl>
Subject: Ahorrochile; QUOTATION: NEW INQUIRY PEMSB1066804061020 TOP URGENT
Attachment: PEMSB1066804061020.iso (contains "PEMSB1066804061020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68998/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/484452
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 16:44:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dovivhhupbu4awiirhskuvm5wjjzsevircw7da7huvvhkycq67fq._file
Verdict:
suspicious
Similar samples:
217bb4b351efd731e57ec953549c757eab0751839f4be4c8a996a5f7a8e571a7
AgentTesla
33c04f77c2590ff87733bdbf3d0226a7b6614276620f0dd3c279fffbf5ad1d8a
AgentTesla
530b1e78bd5bdde0546fb70e6f9537003dae474c918bcde154e2c90394286a33
AgentTesla
55ee4e94de776d7e7748e9a321055cc59d0f0274b2b81bfae0f1f020a65ab33f
AgentTesla
7132a482c09dd9e74e9e75a563b07a03ed4298ba84a49cbdbd499e38d890aaaf
AgentTesla
78cf294b91a04cbedfab6ea4bc77ed0e912e2076be8d623529c62e1c49fb338f
AgentTesla
7b3b68f664f29eafb166bff755303a2a953ebc7160cd476afbdca3cf154e20e2
AgentTesla
e99f37f96959011aa58267233f120986aefa12831c9bfbff3b3cdee7914f9d7f
AgentTesla
f4346c9695322212bcbd3ca0cd0fea6e91d34448b278a1dd5af766020f86aeb6
AgentTesla
fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493
AgentTesla
+ 46 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201007-pgnspytp1a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb
MD5 hash:
295120aa43f8840484b314d94dfdf95d
SHA1 hash:
36784ed68fcc6f7971ba83940f9a5d7e01782f75
Link:
https://www.unpac.me/results/7aeb30e9-5617-4755-ad8d-53f119b726aa/
SH256 hash:
97174f44c76140839f66c4609d689275f971b6fa5fead0634dc17233993745ec
MD5 hash:
1de8273768b54bda040456b4ee39f74e
SHA1 hash:
73804fd087a2445bc339426316f57018140f68ee
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/7aeb30e9-5617-4755-ad8d-53f119b726aa/
Parent samples :
1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb
5ab3356b442f26bcaf9162a636f3ff366aea3af4031efdf46cc800830d95a84d
SH256 hash:
f1e6cc95926c29c7ff928e5c3fe435e8e9f92befbd17ca1b8e96bef5d2eecd61
MD5 hash:
065db44be402d012e6e95dadf31dd8fc
SHA1 hash:
9b33897c249910ddb568b5cc1cee6b853055ccba
Link:
https://www.unpac.me/results/7aeb30e9-5617-4755-ad8d-53f119b726aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso bb0715911b95a2b06f76628e6a9be5db826e3aeecb87e4d3ce3928d6eda2f7be

AgentTesla

Executable exe 1baa8a9cf47869c0590889e4aa559db2539912a888adf183e7a56a756050f7cb

(this sample)

  
Dropped by
MD5 c7bc9a8ed33902a1afb280e8828e7e11
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68998/
  
Dropped by
SHA256 bb0715911b95a2b06f76628e6a9be5db826e3aeecb87e4d3ce3928d6eda2f7be

Comments