MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2
SHA3-384 hash: 8f66f2dca1f63ec39495ba77de8ae5cf2b8ff58fb4d919d54f821fdfb2b6a18384238ad9db8de091745a2b7cb826e679
SHA1 hash: 28326df42e3b0922b2c3133c4cf35488e410301a
MD5 hash: fa33ab41d8334ca25efdb48fe102a14c
humanhash: nuts-spaghetti-sink-two
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:970'752 bytes
First seen:2020-10-06 06:05:25 UTC
Last seen:2020-10-06 07:22:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:caVwfHVckLmdIXGUm0DSJwYRucXhP8lZfhgTKzHs714gGKRADQb9o7vt:5+QIXGUmbTucXGhAKCIMbk
Threatray 339 similar samples on MalwareBazaar
TLSH 3F25C011968C026BF132D038A227D5786BB59D455E08D2D52EE7DCBFFACFE98B4D0248
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.fpcci.org.pk
Sending IP: 124.29.202.181
From: SPA - AMENA Chennai Purchase Order Management {PI} <peporder.ap@pepsico.com>
Reply-To: purchasemd@yandex.com
Subject: Purchase order
Attachment: PURCHASE ORDER.rar (contains "PURCHASE ORDER.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68439/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a UDP request
Creating a window
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/482363
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 02:29:41 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ehsrcst7a7cyfn2kpcqoht3vvr2r6sz2323atpnijvlvljvvylja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15814d40339c1e572590b74683dec0fdf2e55e7f565be6e806adfa2e59c4a915
AgentTesla
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
AgentTesla
510c68882ff2fed7d2045040f45c79980ebaa58c9c074d59390edc72c1bbca68
AgentTesla
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
727e1f0aabc7d8fb68f756541bd8797dd810c2b3ab684ae6e53732e461425f20
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
c8ef5faf8bef2942260f56a7bfca916280711c776ee19bf00954ebdee11804ea
AgentTesla
+ 329 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201006-mk2rbd46q2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2
MD5 hash:
fa33ab41d8334ca25efdb48fe102a14c
SHA1 hash:
28326df42e3b0922b2c3133c4cf35488e410301a
Link:
https://www.unpac.me/results/66146e4d-d36b-4245-8167-6f3d262b85b3/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/66146e4d-d36b-4245-8167-6f3d262b85b3/
SH256 hash:
b905308a43bb5d41b04f812e38084fe2884d281082b061566c2ae45b685ed241
MD5 hash:
43764cbed874115ee4075be2bc38614e
SHA1 hash:
95483838143999177de9025f38d294c75d49dfb1
Link:
https://www.unpac.me/results/66146e4d-d36b-4245-8167-6f3d262b85b3/
SH256 hash:
5d7c3953bf84a1f8de1e52ee0ed2db630523a00f3e9e4ce89ba42e934415d224
MD5 hash:
faa80e8bf5d441f7603bc723c733de4c
SHA1 hash:
b96337f18af8594d7b0eb8affac527d3fffaa39d
Link:
https://www.unpac.me/results/66146e4d-d36b-4245-8167-6f3d262b85b3/
SH256 hash:
0bc0959621b72cd7113b9cd6159677890cedd48bbfe9099eaa0336f936dea9eb
MD5 hash:
b38932d6ae1867913139cde0299c3dee
SHA1 hash:
dd4399c0004cc516da075f959054d9198c47ab5c
Link:
https://www.unpac.me/results/66146e4d-d36b-4245-8167-6f3d262b85b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 17d5a3eebc95e4df723ede69c1c626c995fe467fc8a7d4a518f6ec56192b4a34

AgentTesla

Executable exe 21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2

(this sample)

  
Dropped by
MD5 7865bb8f97c0cb054a0f0a0244a2a850
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68439/
  
Dropped by
SHA256 17d5a3eebc95e4df723ede69c1c626c995fe467fc8a7d4a518f6ec56192b4a34

Comments