MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
SHA3-384 hash: 1e40782cfcce03dda12aa8b6bac62c2a1c5f6119fb4a0a23b4278b79d051d0a9ab0aaee3658de060ee9805be122ae29a
SHA1 hash: abbcd815e4c4815fc69480a754de7e161ec717aa
MD5 hash: dd31cca735c2f9f3406417566528d712
humanhash: shade-tango-equal-oranges
File name:PURCHASE ITEMS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:44'184 bytes
First seen:2021-02-23 07:21:36 UTC
Last seen:2021-02-23 08:46:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:oaQb0nfsetBERJ2BhV6i1ZKCfKL1ZgZgZgZ3ZgZgZZZgZgLREMAk1Fhj5:oSnVtqRYBhV6if81ZgZgZgZ3ZgZgZZZz
Threatray 2'869 similar samples on MalwareBazaar
TLSH 3913D8DD1BE388B2EBAD4B7679E0261406B0A4850C5DC32F18DC69F742E7683E741ED6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: coolermaster.com.tw
Sending IP: 45.133.116.243
From: Raffizas<sales@coolermaster.com.tw>
Subject: purchase order
Attachment: PURCHASE ITEMS.7Z (contains "PURCHASE ITEMS.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118502/
Detection(s):
SecuriteInfo.com.Variant.Bulz.368783.22024.15602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/614988
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356503 Sample: PURCHASE ITEMS.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 92 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected AgentTesla 2->34 36 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->36 38 7 other signatures 2->38 7 PURCHASE ITEMS.exe 21 6 2->7         started        process3 dnsIp4 30 coroloboxorozor.com 172.67.172.17, 49691, 80 CLOUDFLARENETUS United States 7->30 28 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->28 dropped 40 Adds a directory exclusion to Windows Defender 7->40 42 Hides threads from debuggers 7->42 12 cmd.exe 1 7->12         started        14 powershell.exe 21 7->14         started        16 AdvancedRun.exe 1 7->16         started        18 3 other processes 7->18 file5 signatures6 process7 process8 20 conhost.exe 12->20         started        22 timeout.exe 1 12->22         started        24 conhost.exe 14->24         started        26 AdvancedRun.exe 16->26         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 07:22:16 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5qkxnt33n2uw7typdpygve4gmtykbklgn4abz2zrjhtssub3ija._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
AgentTesla
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
AgentTesla
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AgentTesla
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
AgentTesla
56431350911d0476225fe5218ef37ad68ad0542b393f79ff080a69b4592a67b6
AgentTesla
abec75c995b6bac05ca3aa49002dedb12a4fc7194e93f814f3edbb996d9cfa7a
AgentTesla
c725eea92437455b05cf0c4007e63abff342befc67e4b8ad0e60eaa96074955e
AgentTesla
cdcd7f4c9ccb8eeda9202454f40c32ce208c4943df9f84b56cb08ef600015e31
AgentTesla
d6b54e921467dd688dc63b3019654168fd7e72fb0b902e9b08f8c0c3337af388
AgentTesla
+ 2'859 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210223-wbtdzh9mk2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
Nirsoft
AgentTesla
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
MD5 hash:
dd31cca735c2f9f3406417566528d712
SHA1 hash:
abbcd815e4c4815fc69480a754de7e161ec717aa
Link:
https://www.unpac.me/results/29b12682-a029-41a4-9247-171afbc35366/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z b24e34885a3daa75976b31d6aa947aa89526500e0f7ef4bfc67bd8605ed8bd2a

AgentTesla

Executable exe 2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12

(this sample)

  
Dropped by
MD5 ff7a4ce24c57b9b89ffde0b7320ab9a5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118502/
  
Dropped by
SHA256 b24e34885a3daa75976b31d6aa947aa89526500e0f7ef4bfc67bd8605ed8bd2a

Comments