MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9
SHA3-384 hash: 127e75630db73badcf9f9cc6d181cde727af940e24d07188efc26057d7d0f89d76bd74ae0f5cb2b2995ad9be1ecb4c11
SHA1 hash: 0ef424d2000f18e6b83473535bf85d22ed9ab79b
MD5 hash: 27233176a2a979195b01a53ec16c7631
humanhash: cola-iowa-lima-pip
File name:08042021New-PurchaseOrder.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:32'008 bytes
First seen:2021-04-08 08:49:38 UTC
Last seen:2021-04-08 10:21:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:/FmaU0mnYm/8KfVJlIAHcQxGflnBieit0JLkbPd2HdPIZy75V3qKncMrGDDkhx6Z:/FmaU0mnYm/XfFHcQiv2
Threatray 3'897 similar samples on MalwareBazaar
TLSH FBE2A6989BFB045CE41FF636E7D4DF84A977B5E0245285B3099214BB80813F996E323E
Reporter abuse_ch
Tags:AgentTesla bat Yahoo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic305-29.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.133.228
From: Emad Salah <chrisdolas@yahoo.com>
Subject: Re: Re: New Purchase Order
Attachment: 08042021New-PurchaseOrder.zip (contains "08042021New-PurchaseOrder.bat")

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08042021New-PurchaseOrder.bat
Verdict:
Malicious activity
Analysis date:
2021-04-08 09:03:55 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/52382453-3920-4a06-bf03-9253fc4007bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133132/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.154.18760.21583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Sending a TCP request to an infection source
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6a42ddf-2b45-4947-a473-d144ccfa8ef6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/669940
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383917 Sample: 08042021New-PurchaseOrder.bat Startdate: 08/04/2021 Architecture: WINDOWS Score: 96 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected AgentTesla 2->62 64 Initial sample is a PE file and has a suspicious name 2->64 7 08042021New-PurchaseOrder.exe 21 7 2->7         started        12 SWqTT.exe 2->12         started        14 SWqTT.exe 2->14         started        process3 dnsIp4 52 myliverpoolnews.cf 172.67.150.212, 443, 49703, 49704 CLOUDFLARENETUS United States 7->52 54 192.168.2.1 unknown unknown 7->54 46 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->46 dropped 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->68 70 Adds a directory exclusion to Windows Defender 7->70 16 08042021New-PurchaseOrder.exe 7->16         started        20 cmd.exe 7->20         started        22 powershell.exe 23 7->22         started        28 3 other processes 7->28 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->48 dropped 72 Multi AV Scanner detection for dropped file 12->72 74 Hides threads from debuggers 12->74 24 AdvancedRun.exe 12->24         started        50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->50 dropped 26 AdvancedRun.exe 14->26         started        file5 signatures6 process7 file8 42 C:\Users\user\AppData\Roaming\...\SWqTT.exe, PE32 16->42 dropped 44 C:\Users\user\...\SWqTT.exe:Zone.Identifier, ASCII 16->44 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->56 30 conhost.exe 20->30         started        32 timeout.exe 20->32         started        34 conhost.exe 22->34         started        36 AdvancedRun.exe 24->36         started        38 AdvancedRun.exe 28->38         started        40 conhost.exe 28->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-08 08:50:06 UTC
AV detection:
7 of 48 (14.58%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hf5gf7exr55jpkd4vl44gxuy4sqfhxsopbv65zz2nqnmb2m4t7eq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
174d9ba2e89f897d84a612d59117d349773c91f129aa8cdb8ad8a29d576fa8af
AgentTesla
79b276630a955b4f8940424fc1e85a1020cdc2d777c2760e8d696a932bb06f47
AgentTesla
84858fb9b1e2533886a654de52671d91b9d9d7f77ecc7a883d6f03821376b3c3
AgentTesla
850d8459a16051871e4c656b7f1b5a1f7eb42c165a7285f5560d81a006821d28
AgentTesla
93c5bfb2b4a47759762d3ae4b1d80c2de8a4d41860d18c55cafa7607a8e7f1c4
AgentTesla
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
AgentTesla
c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50
AgentTesla
c49fbe617af106c71ecf49bf1f2c67f564eab92deac20f9510ff117dda4b5124
AgentTesla
d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3
AgentTesla
de32e114e23cf733de64abb21ab9fa39491ef746313df88d8c5136e15d9bb9bd
AgentTesla
+ 3'887 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210408-w674x4s92n/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
AgentTesla Payload
Nirsoft
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
AgentTesla
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9
MD5 hash:
27233176a2a979195b01a53ec16c7631
SHA1 hash:
0ef424d2000f18e6b83473535bf85d22ed9ab79b
Link:
https://www.unpac.me/results/22f008eb-0a44-4b36-850a-0f96cacdc821/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip b3bc65bad2802d4d9e30fc08c245143998f32193521d347c406946cf6edc8b9a

AgentTesla

Executable exe 397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9

(this sample)

  
Dropped by
MD5 139c6698ef6fe0b516141ef2ff2e2a33
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b3bc65bad2802d4d9e30fc08c245143998f32193521d347c406946cf6edc8b9a
Cape
Cape
https://www.capesandbox.com/analysis/133132/

Comments