MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33559948a9e24a08a1ebfb802e793fe550e68bcb8998ae1560208ac99ebbd136. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33559948a9e24a08a1ebfb802e793fe550e68bcb8998ae1560208ac99ebbd136
SHA3-384 hash: 5fabd619fbdae0bed63bd8e9b1d0cb1d8404237ca3f2bdeac73545adc9e92b03881375a85a20c1f50651512bd23c944a
SHA1 hash: 3561637dbd6e8020e96c9594625df5fd8c343e1a
MD5 hash: e87375811878d6b10e3fd6f7777000af
humanhash: sad-romeo-helium-september
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:636'416 bytes
First seen:2021-03-31 09:47:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KZuuJRiUkeopkCA5DMmRQbxZfN4ikJEp55dy6/y3:YuuJRuer9+mGbHtfvdyUy3
Threatray 3'608 similar samples on MalwareBazaar
TLSH 29D402F02E06DBD4D63856FE7118601116B9EBF384034F88CA58F9B63479E8D4DEA687
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 03:56:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee3b428a-d448-4660-9b0b-6d3955896ac6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129241/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.601-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660093
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/33559948a9e24a08a1ebfb802e793fe550e68bcb8998ae1560208ac99ebbd136/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 03:15:22 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnkzssfj4jfaripl7oac46j74vionc6lrgmk4flaecfmthv32e3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5f31b8fc53f4628aa678d164b995732bea8affd218185d69f1ad86e65bb7757a
AgentTesla
7cd324a59fcdba34bf5599747c3490e2190f03c54fec88c5f184635285d99431
AgentTesla
a5b4a1aa53134e93a392b7b90cc7c5d4a939d4f61bdf330de08d49fa1b4356ed
AgentTesla
af298d2fb1377a2a262f96a6cebf232af6d157b2842011f293e9ffbedb7f5f70
AgentTesla
d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16
AgentTesla
efc33e49a1f2bb8a2caf20a3609c44170c3739c90c1e2f4f236961e13279a3b3
AgentTesla
f1f47602e55f248bf5dbfbefc79b439f56d10d8128a740a2c983c3f7ee8f49d3
AgentTesla
f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13
AgentTesla
f90cf6686fcfe69bb074cf65a5b7e19c8e97b1351377faa7a2477577d4171de8
AgentTesla
fa90d78204fa29f8b45fa06b7a65a02eb103564f260bd70fd6f4296fed8d6587
AgentTesla
+ 3'598 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210331-cknqptr9w6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
6125e3ab9540ab1869f04eab3cef8af9a62642d9c38390ed009002d5b02771a8
MD5 hash:
fcc61cff6e42f40e1c7f961f8a2b7c0e
SHA1 hash:
7a2a4774db0c5633d17fef9edaad022365c964c6
Link:
https://www.unpac.me/results/17b8d8fa-5d3b-4763-a14e-64161f31a51e/
SH256 hash:
00707d997b691c28bc51bde5f419d572d8e34bbc0d5ba6dfacd213f2460f6eb6
MD5 hash:
32a4d8ce734c06fe20c3fa793eab13ad
SHA1 hash:
527326cbeb517a6ca062286a63a995bc858b17fe
Link:
https://www.unpac.me/results/17b8d8fa-5d3b-4763-a14e-64161f31a51e/
SH256 hash:
c4d6045feb59c2ffdcbbef5d220a845edaa73ca6de27be81b73caebcd9108ebc
MD5 hash:
c17e2bec05c8c3f85bd462708854a2a8
SHA1 hash:
04430de1ec0535f3df66f368a2d0b52bb19f52d4
Link:
https://www.unpac.me/results/17b8d8fa-5d3b-4763-a14e-64161f31a51e/
SH256 hash:
33559948a9e24a08a1ebfb802e793fe550e68bcb8998ae1560208ac99ebbd136
MD5 hash:
e87375811878d6b10e3fd6f7777000af
SHA1 hash:
3561637dbd6e8020e96c9594625df5fd8c343e1a
Link:
https://www.unpac.me/results/17b8d8fa-5d3b-4763-a14e-64161f31a51e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33559948a9e24a08a1ebfb802e793fe550e68bcb8998ae1560208ac99ebbd136

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 23741f6b3349b09dae80e09a75a8653eeb1bb313ec3d294e6aa6ce80ec7fdbf4

AgentTesla

Executable exe 33559948a9e24a08a1ebfb802e793fe550e68bcb8998ae1560208ac99ebbd136

(this sample)

  
Dropped by
MD5 8a8a496889e61b1022ced848ac27cc3f
  
Dropped by
SHA256 23741f6b3349b09dae80e09a75a8653eeb1bb313ec3d294e6aa6ce80ec7fdbf4
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129241/

Comments