MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27e3c24e7da1aaf3b59af1e88f52a2ec272a92342fdd78cc9ba57304ab54f14e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27e3c24e7da1aaf3b59af1e88f52a2ec272a92342fdd78cc9ba57304ab54f14e
SHA3-384 hash: 9d10d4f8b8742e859492896be7b375a07f3c0e98977fab8f3e4d8c71901ef01b8436ee96c3ebc352002fce2596a0b675
SHA1 hash: 27b3cbce185e7cb277b7af67c1704c537ba99fac
MD5 hash: afd0990c447ee8ddd400e71826c4074d
humanhash: sodium-orange-victor-arkansas
File name:PROFOMA INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:582'656 bytes
First seen:2021-11-01 10:38:42 UTC
Last seen:2021-11-01 15:35:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:87mH16zB0Tl7mbZvCj6JyyeeAfr+zDOtGtZhTizF5l7xke:0zqTolCjYTeZfrgsKZhe7xke
Threatray 12'492 similar samples on MalwareBazaar
TLSH T12AC4CF26637CAF43D934A3FC84217058A7B06625BC97D78D9FC127E98B327B0AD60587
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
9
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PROFOMA INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2021-11-01 11:00:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b5a15f06-2665-4c3c-8129-4d60b7cffc86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.18180.31524.3673.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617ffa45db358dd15ee33ebf/reports/d9fc1ee5-1bb0-4e86-8c6b-dbec72f99dde/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2eb840c-6412-4799-a93a-0eefb01f56d5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880323
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27e3c24e7da1aaf3b59af1e88f52a2ec272a92342fdd78cc9ba57304ab54f14e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 09:25:38 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7r4ett5ugvphnm26hui6uvc5qtsveruf7oxrte3uvzqjk2u6fha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
35e84349cc619d11fb8db14c1e4b4cdf9e0b0ef543cde55063918340b20faa7d
AgentTesla
369b2d937fd2d49721cefcfb3de491a27c3fa2685833e9b9c8c2f0db39caceba
AgentTesla
8a11296b3d53ddb6282cb7e13903ebff1133289a199b45283f47668f905f9258
AgentTesla
9c1dff75f4eab58eed1bbec54970c5fa5b3bcf52518af40558d5a16c2e45de51
AgentTesla
a52e5aca7832092e1392b577b676443a07931a6ae662e38bb303b38a22b18a1c
AgentTesla
a66c307a5d1ffdad9f9204aa8eccde9a0975d7344b6bfaa89ecd2268a85a9918
AgentTesla
ab5c29e94cda16d44ba0b3fec24ff2a46bf9518ab2787730dde2be0db8e22d58
AgentTesla
ea16782577349595f16ed80c298d3307ddd0e261569d74ed2cff90e077202d36
AgentTesla
+ 12'482 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211101-mpyyeaedgp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e2b067b67cee81aeb51b9c882547f6e4c1ef169eccbc65e7f841d19426e5f02a
MD5 hash:
00db81b57d999e42b49bfd6c4fcc8129
SHA1 hash:
f216168e58c2ceba72d6cf8473c38a449e8f6404
Link:
https://www.unpac.me/results/fc180c15-c4ac-45ce-82b4-62d6594a4e45/
SH256 hash:
b61b38bbf16f108eb856320d66bf4bc194b085f3e1643a3624ee18e5c543683c
MD5 hash:
6bd22a2d423a89c38000b999f69bd265
SHA1 hash:
f1879639a242c3e3f9a00e9ef7f92d749428af86
Link:
https://www.unpac.me/results/fc180c15-c4ac-45ce-82b4-62d6594a4e45/
SH256 hash:
7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785
MD5 hash:
171a2669225911b41301096cd9dcf19f
SHA1 hash:
dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5
Link:
https://www.unpac.me/results/fc180c15-c4ac-45ce-82b4-62d6594a4e45/
SH256 hash:
27e3c24e7da1aaf3b59af1e88f52a2ec272a92342fdd78cc9ba57304ab54f14e
MD5 hash:
afd0990c447ee8ddd400e71826c4074d
SHA1 hash:
27b3cbce185e7cb277b7af67c1704c537ba99fac
Link:
https://www.unpac.me/results/fc180c15-c4ac-45ce-82b4-62d6594a4e45/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/27e3c24e7da1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27e3c24e7da1aaf3b59af1e88f52a2ec272a92342fdd78cc9ba57304ab54f14e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 27e3c24e7da1aaf3b59af1e88f52a2ec272a92342fdd78cc9ba57304ab54f14e

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment

Comments