MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2197e273f9fcf61c4105c9e50d44ca0e4782c209c6b6bdaeec839568ba2b2377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2197e273f9fcf61c4105c9e50d44ca0e4782c209c6b6bdaeec839568ba2b2377
SHA3-384 hash: c171f0484a36120bde3b73f4e82af58b1b3f0510a850c7adf6e2a6f80a16e06a9c861cfd36232b535de1bfc9dd201912
SHA1 hash: 0a4d400e68724ac11dc8be89a613dee69f3d4e6a
MD5 hash: 019b273fc83e1cdffdc40a6ca93c1f03
humanhash: six-uncle-july-grey
File name:FedEx_Aug 2020 at 1.33_8BZ290_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:274'232 bytes
First seen:2020-08-05 11:40:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:csNtjCEwmZUrwqD1vrTIWt5v6+mQiQSIE60Dv37urDyXdwKVuqHgwJDfocoJVHKL:codt+rThB2IEPvLUDivHgqDfocmhrfA
Threatray 10'621 similar samples on MalwareBazaar
TLSH 2444E10132919915D7CC7639DB8B851003B68EE34B22E11E6FDD73AED9B22931C0AEDD
Reporter abuse_ch
Tags:AgentTesla exe FedEx


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server2.dnsired.com
Sending IP: 144.76.198.243
From: FedEx Support Delivery <shipment@fedex.com>
Subject: RE: Shipment delivery problem #00000964421
Attachment: FedEx_Aug 2020 at 1.33_8BZ290_PDF.img (contains "FedEx_Aug 2020 at 1.33_8BZ290_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39460/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/410999
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2197e273f9fcf61c4105c9e50d44ca0e4782c209c6b6bdaeec839568ba2b2377/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 09:26:59 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egl6e47z7t3byqifzhsq2rgkbzdyfqqjy23l3lxmqokwrorlen3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b
AgentTesla
0f010d34558a3cdfb2bca2de008db88cf41c733117aca97aa60ad2172c4a401a
AgentTesla
449668f18d2aa75cc9493090764722eb4f0843a8da1b354d4e2147c6d6393078
AgentTesla
47f12ec69f49c0ae05cd312f74076e822550a0e0ea8cf807262a6a11a16af1cc
AgentTesla
6a1315d55a66812deddffd96c7f113289b3f21b085f830d8332844b4c9d5e4bc
AgentTesla
7e2473db8e90a794eef6584e105e195e942d967f9172592230105b59e0af68d3
AgentTesla
cb77918ae8d2691de468c12d6a6074156a81b7774eadbd7197038285140d94cc
AgentTesla
d1876880e116fa9b64b8902b32cd76d4e69cdc0e94c091b50bea66e20e5f91db
AgentTesla
ef6cbe8e4762412374dd74dbb36bd2728f9a627212f14ad2890159945c0a5fb3
AgentTesla
f08ffb7a34ef9d8d3fa1065de100ddbbf4f2e9c74a6c4ade0135053a9daf5f98
AgentTesla
+ 10'611 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200805-fnl2b91el6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2197e273f9fcf61c4105c9e50d44ca0e4782c209c6b6bdaeec839568ba2b2377

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 3d56954f6dcdb3fb5b8faf4829718f78237264d29ccc69ed9d68a6868ec8d022

AgentTesla

Executable exe 2197e273f9fcf61c4105c9e50d44ca0e4782c209c6b6bdaeec839568ba2b2377

(this sample)

  
Dropped by
MD5 d9a686272318b673d08c383a4fe93a95
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3d56954f6dcdb3fb5b8faf4829718f78237264d29ccc69ed9d68a6868ec8d022
Cape
Cape
https://www.capesandbox.com/analysis/39460/

Comments