MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2851a4554cca2d9d75f9c90f8aea43db1c28207868e1641fcc431353564a2708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2851a4554cca2d9d75f9c90f8aea43db1c28207868e1641fcc431353564a2708
SHA3-384 hash: fb50d7a4efc5cd51f28b2f9498b2ae678e5fa0c4e4c3d9fe9f71c9513544ec688d00005d9f363ccd7439bfa2e86d1e0a
SHA1 hash: 7064a7ae9e5da56ebafbe3aebdde54476d05b40e
MD5 hash: 0f7e806d7fdbff2ea81432fb1da0d38c
humanhash: sad-potato-north-yankee
File name:Delivery Document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'249'792 bytes
First seen:2021-07-07 12:40:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:HRa5RMRsVJbXqxrudvuN1naU3rTsU+vyvz0biYuWOBfWlB:Hc5RMYLq6CnaUXh4biBBBE
Threatray 6'698 similar samples on MalwareBazaar
TLSH D945CF7620338A92CEAFC7F94772151E4FADAFFE914BB6741888703500F4B5E4A5192B
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Delivery Document.exe
Verdict:
Malicious activity
Analysis date:
2021-07-07 12:45:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9094d27-c33e-4f5b-a1df-018efe755dbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170184/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DLO-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5055850c-4cca-47b9-b97e-039abf2155ab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812861
Signature
Adds a directory exclusion to Windows Defender
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445272 Sample: Delivery Document.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 10 other signatures 2->73 7 Delivery Document.exe 7 2->7         started        11 Nwefile.exe 2->11         started        13 Nwefile.exe 2->13         started        process3 file4 53 C:\Users\user\AppData\Roaming\JzDyPnJ.exe, PE32 7->53 dropped 55 C:\Users\user\AppData\Local\...\tmp6282.tmp, XML 7->55 dropped 57 C:\Users\user\...\Delivery Document.exe.log, ASCII 7->57 dropped 75 Adds a directory exclusion to Windows Defender 7->75 77 Injects a PE file into a foreign processes 7->77 15 Delivery Document.exe 2 5 7->15         started        19 powershell.exe 22 7->19         started        21 powershell.exe 26 7->21         started        31 2 other processes 7->31 79 Multi AV Scanner detection for dropped file 11->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->81 23 powershell.exe 11->23         started        25 powershell.exe 11->25         started        27 schtasks.exe 11->27         started        29 Nwefile.exe 11->29         started        33 2 other processes 13->33 signatures5 process6 file7 59 C:\Users\user\AppData\Roaming\...59wefile.exe, PE32 15->59 dropped 61 C:\Users\user\...61wefile.exe:Zone.Identifier, ASCII 15->61 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->63 35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        65 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 23->65 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 31->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2851a4554cca2d9d75f9c90f8aea43db1c28207868e1641fcc431353564a2708/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 09:18:34 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbi2ivkmziwz25pzzehyv2sd3mocqidyndqwih6mimjvgvske4ea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fa060a6dcf51fbc643db7b939ce8d01327606c058130825684258c58ff948b8
AgentTesla
2f7d4cae829b1a44e8611849e9ac7ca840733da39a590b25ad2dcbb7bfe71f4e
AgentTesla
4522f433567f4ab94f81f6ec9f445aa12ed32449260e789cacb529cb7e36a0c7
AgentTesla
6c838b83ecff0d930f544dc8b10c9e856e2d601bb2552f01cc6c8dd57c2f99ce
AgentTesla
77a856a589cf0491c1e2508b0725c265328bc2b40ac944ed2fe90afbb27a843f
AgentTesla
82004576665b77d6a67e5286154013f6f7b95bb46d81ee6b061b13343dfc4acd
AgentTesla
82e807d1ea280e220a5340a2a1530d244ddd6f985b519a8717ed8f21be3dd63b
AgentTesla
c08e280570de9dc368e7fa90a6da1f047c059e70bff357ef99e4b3fac88b4b54
AgentTesla
d3e30c5ace93870f29e8dd850907fc0f831f486e3a84ee9a02e6885f13d8622b
AgentTesla
e8e003992f2171cb3a00363655a00a66c73de119bdee835340507d2343857bc6
AgentTesla
+ 6'688 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210707-5eqf5wxnrj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/f9c989c3-76f1-4737-a0ca-6f7ee615fcc5/
SH256 hash:
363aca2e26e709a71cfc5ee0c2ae1e9eb6055b7b7e0210d5594b6cc46ee301c7
MD5 hash:
359b88cc9e1751a3e6eeb6bab2006862
SHA1 hash:
5d0dec8716bcfc76237df069606723b654b0bed0
Link:
https://www.unpac.me/results/f9c989c3-76f1-4737-a0ca-6f7ee615fcc5/
SH256 hash:
e1477773ecf38fed98089242953c960e80f3d315de7bee29662a8ad44f07030b
MD5 hash:
d31d33f8cc1f470141c8cd9fb3863832
SHA1 hash:
4229add5eea2226e85413f0afa3469f5efb1e6f5
Link:
https://www.unpac.me/results/f9c989c3-76f1-4737-a0ca-6f7ee615fcc5/
SH256 hash:
2851a4554cca2d9d75f9c90f8aea43db1c28207868e1641fcc431353564a2708
MD5 hash:
0f7e806d7fdbff2ea81432fb1da0d38c
SHA1 hash:
7064a7ae9e5da56ebafbe3aebdde54476d05b40e
Link:
https://www.unpac.me/results/f9c989c3-76f1-4737-a0ca-6f7ee615fcc5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2851a4554cca2d9d75f9c90f8aea43db1c28207868e1641fcc431353564a2708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170184/

Comments