MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f68e9becd0375dae05466e372419267cff95793f673b94784b642b662729463. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f68e9becd0375dae05466e372419267cff95793f673b94784b642b662729463
SHA3-384 hash: 1b407827b158aaf6e1361f0d500ff885b3e245d4c9e21addb175e2ea143731235a07709a38717d1d9ea8d1aa600b3f4e
SHA1 hash: bb7c7e05868581027853f96502e8d7cb30ee6b4f
MD5 hash: cbbc31be941617784c71d5cdf30da3bc
humanhash: failed-winter-michigan-carolina
File name:Purchase Order dt. 23.09.21.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:520'192 bytes
First seen:2021-09-23 14:47:02 UTC
Last seen:2021-09-23 16:10:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4RUmKEWJuP5VprRK4duDQXrcpDSQqxA5E:CUi5VhRK4ME7uWQqx
Threatray 10'653 similar samples on MalwareBazaar
TLSH T11CB46E2C3BC11EFAEF1DA8B145060A2BBB660E97E240998117DB1DC7DF5E3F52D05886
File icon (PE):PE icon
dhash icon e09a676060678ee0 (14 x AsyncRAT, 5 x ValleyRAT, 4 x Formbook)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190819/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31048.16695.3418.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/276c3ddc-5efb-4cf7-a287-4e25ee8eeb9f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856622
Signature
Binary or sample is protected by dotNetProtector
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489055 Sample: Purchase Order dt. 23.09.21.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 7 vudomqza.exe 3 2->7         started        10 Purchase Order dt. 23.09.21.exe 4 2->10         started        12 vudomqza.exe 2 2->12         started        process3 signatures4 52 Multi AV Scanner detection for dropped file 7->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Machine Learning detection for dropped file 7->56 60 2 other signatures 7->60 14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 vudomqza.exe 2 7->18         started        58 Injects a PE file into a foreign processes 10->58 20 cmd.exe 3 10->20         started        23 cmd.exe 1 10->23         started        26 Purchase Order dt. 23.09.21.exe 2 10->26         started        process5 file6 28 conhost.exe 14->28         started        30 schtasks.exe 1 14->30         started        32 conhost.exe 16->32         started        40 C:\Users\user\AppData\...\vudomqza.exe, PE32 20->40 dropped 42 C:\Users\...\vudomqza.exe:Zone.Identifier, ASCII 20->42 dropped 34 conhost.exe 20->34         started        62 Uses schtasks.exe or at.exe to add and modify task schedules 23->62 36 conhost.exe 23->36         started        38 schtasks.exe 1 23->38         started        signatures7 process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f68e9becd0375dae05466e372419267cff95793f673b94784b642b662729463/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 11:21:30 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d5uotpwnan25vycum3rxeqmsm7h7sv4t6zz3sr4ewzblmytssrrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0913bfa77bc5c9494eb3908544f69e4e1d8c9aeeaa26e35efe28e9fe43481a6b
AgentTesla
19f512ee634d2d47156551904a25f5b650083c60a536079c11c512edd6914c17
AgentTesla
5a2ce470fbe1babd44df83899f5909e3dcd031bc95de5a748f473f288084de7a
AgentTesla
7b41953809b047db74ed61cf3ecceb535e0382a71976b24c1a966be3a5774c80
AgentTesla
968e2035fc4624c70022810166de189449b9573c9645ee713fdf44d40811a4a1
AgentTesla
b8e8f5c8629513ef5ec5162ca8e5e8a7758917c4a457270e1d438c23ba3a3fa0
AgentTesla
c042c748985e1dbc468a0c92a66232e55b362bb5901beceb79ae5b466b9e6e06
AgentTesla
c653a8a070f8f5db25d857bff0b23a79fddb17743b1b02b57e64b27bdef617f1
AgentTesla
eb12f5ac4c8669a097af19e970c05103b43e542a4ad162401c68acef25ff8b5c
AgentTesla
f9989bce3ddcc0eb0f95bae744a31bd28e06b229f2757ad7fe7a92c8952ac78f
AgentTesla
+ 10'643 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210923-r5wkfaega7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1481923647:AAGiBTAuCt4mxLt_RWPYNlSpw01yplTkoZI/sendDocument
Unpacked files
SH256 hash:
2df1f93e24ea43f1e2083d646a695936a1bfdc69365b13b9fad44d505072e826
MD5 hash:
c1e2ed8a9d93986fa4ea103b045f030f
SHA1 hash:
441b9941b3468baf0ef95af921ec18d35589e45a
Link:
https://www.unpac.me/results/b0bfeaf6-455a-47f4-971b-88e9dc6a0bb3/
SH256 hash:
1f68e9becd0375dae05466e372419267cff95793f673b94784b642b662729463
MD5 hash:
cbbc31be941617784c71d5cdf30da3bc
SHA1 hash:
bb7c7e05868581027853f96502e8d7cb30ee6b4f
Link:
https://www.unpac.me/results/b0bfeaf6-455a-47f4-971b-88e9dc6a0bb3/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1f68e9becd03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f68e9becd0375dae05466e372419267cff95793f673b94784b642b662729463

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190819/

Comments