MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 369d92b64ee7b40f1679b98499e6d2b3470f9d477a8c35256508ae5715516194. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 369d92b64ee7b40f1679b98499e6d2b3470f9d477a8c35256508ae5715516194
SHA3-384 hash: a6c6e2856efd8c7d5b14596ffcd1e0dd0924c22f2675386fcafffc5924b1d75252b2dc569afc83cb1fe54741dc65c892
SHA1 hash: fa6df79dd667fcbb97c6ffbf947ee356512b292d
MD5 hash: 87e6882bcebf4823afb4303aac3628b1
humanhash: nitrogen-four-lactose-charlie
File name:4019223246.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:981'504 bytes
First seen:2021-02-25 11:10:12 UTC
Last seen:2021-02-25 12:58:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:CVsJT2fy3BWYR+nwvQILyPB+A+9JqWqi7jDB:ouB0wvngN+Dqg7
Threatray 330 similar samples on MalwareBazaar
TLSH 9B2539512264AF2CE43D673E9488280E9BFAEC46C326C95B7DFD65DF2BE1F406351206
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway5.unifiedlayer.com
Sending IP: 69.89.28.84
From: Kiran S <purchase@lifecarebaniyas.ae>
Reply-To: Kiran S <purchase@lifecarebaniyas.ae>
Subject: REQUEST FOR QUOTATION Patient Name : Sarker Romesh Sarkar Shamol-LC80145848
Attachment: 4019223246.iso (contains "4019223246.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4019223246.exe
Verdict:
Malicious activity
Analysis date:
2021-02-25 11:16:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe1ab1ae-e4ac-4210-971e-2d25f49674ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119216/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.CPN.genEldorado.6337.13499.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/618646
Signature
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358326 Sample: 4019223246.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 Yara detected AgentTesla 2->35 37 5 other signatures 2->37 7 4019223246.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\WZXjvtGBEKK.exe, PE32 7->19 dropped 21 C:\Users\...\WZXjvtGBEKK.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\Temp\tmp35E.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\4019223246.exe.log, ASCII 7->25 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 7->43 11 4019223246.exe 10 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 us2.smtp.mailhostbox.com 208.91.198.143, 49767, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->27 29 208.91.199.224, 49769, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/369d92b64ee7b40f1679b98499e6d2b3470f9d477a8c35256508ae5715516194/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 11:11:08 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2ozfnso462a6ftzxgcjtzwswndq7hkhpkgdkjlfbcxfofkrmgka._file
Verdict:
malicious
Similar samples:
134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b
AgentTesla
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
AgentTesla
498df02f7263a2b524603cb58cd01c45115645f7586147fd39b19e930dffc667
AgentTesla
5c7b804890877a7a9da085d878b0fc1a444aa1b75965e16beab74c978fab6079
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
6dda8584a5682afdc017e2e421619b02fc9f57a67de615332797b3e96981864d
AgentTesla
9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f
AgentTesla
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040
AgentTesla
c5f444d3e3808d7323e4beabeeb3fd254fc9b458157aea384873fd1dbc059e82
AgentTesla
e096e858f6e33e79359f9be68c43cdb8536c99a6282adb420496e11b12a4aa4c
AgentTesla
+ 320 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/210225-njazs78djs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/a299d0c6-c699-46b5-bab7-1fcf684858f1/
SH256 hash:
369d92b64ee7b40f1679b98499e6d2b3470f9d477a8c35256508ae5715516194
MD5 hash:
87e6882bcebf4823afb4303aac3628b1
SHA1 hash:
fa6df79dd667fcbb97c6ffbf947ee356512b292d
Link:
https://www.unpac.me/results/a299d0c6-c699-46b5-bab7-1fcf684858f1/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 40e863bf411dbc1f5e021a612f2131d273cf91fe3b005fa3b13df09b5e3b4145

AgentTesla

Executable exe 369d92b64ee7b40f1679b98499e6d2b3470f9d477a8c35256508ae5715516194

(this sample)

  
Dropped by
MD5 5491c9c1a81fb9f67503cf84a96e6ca0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 40e863bf411dbc1f5e021a612f2131d273cf91fe3b005fa3b13df09b5e3b4145
Cape
Cape
https://www.capesandbox.com/analysis/119216/

Comments