MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ef7984487fc42d24d095dece8749226ca420e33da25106a6ad1915a6f082a8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	1ef7984487fc42d24d095dece8749226ca420e33da25106a6ad1915a6f082a8b
SHA3-384 hash:	ad6d5c225eba8209ee71a3933935fa7bc8841b8d3180f9c26f5b23361093c238021d755e6ef1dbfd2b273ab77d86c97c
SHA1 hash:	b987f5d6f04cbe7b841972173981c1ec3aeab29a
MD5 hash:	91e5579727e604c0f701477f5fee4b17
humanhash:	thirteen-texas-december-queen
File name:	OUR PO NO. CWI19150.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	677'888 bytes
First seen:	2021-04-06 08:20:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:D2iN+yjrQmcxLQHbVUlNQDEvVRfSI5R/DUbMv2T4XLNmQJ:D1JgDLQB9DEv/n7NmQJ
Threatray	3'693 similar samples on MalwareBazaar
TLSH	B1E402202359C741D4A687F64467950383B6F6D87823DF941E8DA2C6346AF0CEEE9ED3
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

From: purchase.wovenctg@azimgroup.com
Subject: PURCHASE ORDER NO. 415 DT
Attachment: Purchase Order .rar (contains "OUR PO NO. CWI19150.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

OUR PO NO. CWI19150.exe

Verdict:

Malicious activity

Analysis date:

2021-04-06 08:52:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5599ead8-ddd0-4d73-9c38-58bfb83dfdc5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/132631/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla Telegram RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/667327

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1ef7984487fc42d24d095dece8749226ca420e33da25106a6ad1915a6f082a8b/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2021-04-06 01:59:52 UTC

AV detection:

6 of 48 (12.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d33zqreh7rbnetijlxwoq5ese3feedrt3isra2tk2givu3yifkfq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

135e423a3e052c3f4cb4180f970e13af7c8cab393a708e48d7dfefb5cf035313

AgentTesla

1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b

AgentTesla

5994f45fc95b80beb8ef828728bd8248455a7f2c503b025be6991a700ecbbf53

AgentTesla

5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a

AgentTesla

79ffad444c6c77834dd38dc5aba56cad7006d815b7a101d6ab9a5f6f881fbb1d

AgentTesla

8434177ad88b9dae32c1af3253dd5cbda0bfa994d3bb6fcdda659679ae822228

AgentTesla

9b3c0d0fcfba031b1c667d8e990940265571bbb77a879317684f6747e0a3e969

AgentTesla

af298d2fb1377a2a262f96a6cebf232af6d157b2842011f293e9ffbedb7f5f70

AgentTesla

da9b1555b574d5e9b340f3993564550e0659f08b24856184a9eb543f4700e7e8

AgentTesla

+ 3'683 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210406-cszmygz44a/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Unpacked files

SH256 hash:

d98bd22220b0ce9e9647049635aacfb9668e067f288cda6b921203b74ac39c74

MD5 hash:

fa8edb8e670290f2d55827f213a3c0c2

SHA1 hash:

9cca8e9f145aabbbdbdb1dda1a66690c743f59f5

Link:

https://www.unpac.me/results/db822a65-11f4-4118-bf41-772cd840ab85/

SH256 hash:

fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5

MD5 hash:

8b603b23caf00139206f293eb741a9f0

SHA1 hash:

1cc90aec7ce07b13930fe0c088fe3cd155b3ea07

Link:

https://www.unpac.me/results/db822a65-11f4-4118-bf41-772cd840ab85/

SH256 hash:

a61dfbe7814e5401422540916ea0b0286209df4664a218264d3d109f13b0b1b1

MD5 hash:

d2795d8634346eb0cab23bd31a8ccc1e

SHA1 hash:

012657b41ad7c3218d3a52c3660b5e5c10725222

Link:

https://www.unpac.me/results/db822a65-11f4-4118-bf41-772cd840ab85/

SH256 hash:

1ef7984487fc42d24d095dece8749226ca420e33da25106a6ad1915a6f082a8b

MD5 hash:

91e5579727e604c0f701477f5fee4b17

SHA1 hash:

b987f5d6f04cbe7b841972173981c1ec3aeab29a

Link:

https://www.unpac.me/results/db822a65-11f4-4118-bf41-772cd840ab85/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ef7984487fc42d24d095dece8749226ca420e33da25106a6ad1915a6f082a8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 8135472d840e89b8bc3f4f3a6761927a17241a5ac0c6f3bfa3971ffaf8bcdac5

AgentTesla

exe 1ef7984487fc42d24d095dece8749226ca420e33da25106a6ad1915a6f082a8b

(this sample)

Dropped by

MD5 12b479df978d5c06de013161ed8f3f59

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 8135472d840e89b8bc3f4f3a6761927a17241a5ac0c6f3bfa3971ffaf8bcdac5

Cape

https://www.capesandbox.com/analysis/132631/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample