MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b048d3a6ed74b12a81a258814b966fa8176e18c4d88fa18ac1313903da2c45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26b048d3a6ed74b12a81a258814b966fa8176e18c4d88fa18ac1313903da2c45
SHA3-384 hash: af032c8ad7e58ae16358004fa958b95a9e054e5fee073feb1804e83fe3e4951f35d3b02a70eba4487c6c921e1771aea1
SHA1 hash: d291357fcf1a8424e412989f006b40e77fa1e5f0
MD5 hash: 0ba47a5ef639d16a1bc68b7d9c2fca34
humanhash: march-illinois-xray-whiskey
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:924'160 bytes
First seen:2021-04-12 15:27:33 UTC
Last seen:2021-04-13 10:50:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:aodXQ2/ifIKwgC8f0I8Gw7wWRJfBcqv83ME1fh27i7eFJxU7yZwmtWjnFJTHj3iq:9p5ifIR8F8GoR37+fh28J73
Threatray 3'885 similar samples on MalwareBazaar
TLSH 9D15CFAD365076DFC827CD72CAA81C64EA2074BB531BD203A01716EDAA4D69BDF141F3
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 15:33:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67a5bd85-38ef-4536-8290-362ac866e820

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133796/
Detection(s):
SecuriteInfo.com.Artemis0BA47A5EF639.4108.15404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673253
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/26b048d3a6ed74b12a81a258814b966fa8176e18c4d88fa18ac1313903da2c45/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 15:27:06 UTC
File Type:
PE (.Net Exe)
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2yeru5g5v2lckubujmics4wn6ubo3qyytmi7imkyeytsa62frcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00f15693650f7e3640fd510852dc0301d357717a986a49c35b3b91d876df8d66
AgentTesla
0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e
AgentTesla
0ee03cc5f9b8111e270aaf8a7bd92568e6604efdfda8d124d67892fa5d4690cf
AgentTesla
1a5421663abc706ce1c326cd443f5aba56108c99ef8e885261366aabf2e2f915
AgentTesla
29890b01a73b6721cf2e80232cc366b95be2eeb81bd7beb72372cd3ae4f05293
AgentTesla
55dee6475ed6ea1cfb43a31212f428175352d010544945ad7cdc5341cc388da4
AgentTesla
5842f3956659c2e81a88473dfd7603182d4e43cd8120e24a61189e7a43541751
AgentTesla
672a61ad27f7bafa74b86dffa95262a18256d48cf3f1aa74c5b6907cefd9cad1
AgentTesla
af1d434f702045685e163c36d8d24098389e7675eed56ae34a90532764df2d3b
AgentTesla
f9ac482ceccf651bfb9fb322fb71f94a3ae3a64a2113541fcd888d40d305898c
AgentTesla
+ 3'875 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210412-yzvzr5v1e6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
33f6910ef6772505dc2a7a086ec1519ea97444220adbb7736f466290e16d819e
MD5 hash:
3380a30d26236f4468026f9d0356b5d7
SHA1 hash:
8b96298a26f07a9c92be6377d41ab6fe599deb2a
Link:
https://www.unpac.me/results/2ce075ac-ae06-48d9-8fca-c5956d6e14d9/
SH256 hash:
946d9982157d174f15c6937176e2cc24f161905ec9d8c795d057f2ab3383e460
MD5 hash:
744680e7e75cb8885495c075473332e0
SHA1 hash:
50779b60a911648a6dcd9b5ea2ac103f452c0083
Link:
https://www.unpac.me/results/2ce075ac-ae06-48d9-8fca-c5956d6e14d9/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/2ce075ac-ae06-48d9-8fca-c5956d6e14d9/
SH256 hash:
26b048d3a6ed74b12a81a258814b966fa8176e18c4d88fa18ac1313903da2c45
MD5 hash:
0ba47a5ef639d16a1bc68b7d9c2fca34
SHA1 hash:
d291357fcf1a8424e412989f006b40e77fa1e5f0
Link:
https://www.unpac.me/results/2ce075ac-ae06-48d9-8fca-c5956d6e14d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26b048d3a6ed74b12a81a258814b966fa8176e18c4d88fa18ac1313903da2c45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/133796/

Comments