MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140
SHA3-384 hash: e08d14c1282aa4e87c435473fbadae856ad9019145afb604b52d8929ed521cb724c09b18febef577b026a55740a5c56d
SHA1 hash: 46dded33d12784afe77619a20ee65d1939f881b0
MD5 hash: 0f3ca465173914c361362a754a6bf65e
humanhash: montana-august-batman-lithium
File name:PO45678.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:866'304 bytes
First seen:2021-02-25 14:18:26 UTC
Last seen:2021-02-25 16:12:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:2+1YHCIVKyxz33JQ3Krcrlhiz6021uysgKtMuL+Y8VSpW:2+SCJKrcBgp2IyZTe
Threatray 2'911 similar samples on MalwareBazaar
TLSH 8305BF39B371BB96D1196F3AC4936A10C3F180AB7233F69B2DD018E90691F15DB1E963
Reporter abuse_ch
Tags:AgentTesla exe HostGator


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway36.websitewelcome.com
Sending IP: 192.185.201.2
From: info@hdinmobiliaria.com.ar
Subject: Confirmation Of Proforma Invoice - #PO45678 save: Proforma Invoice
Attachment: PO45678.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO45678.exe
Verdict:
Malicious activity
Analysis date:
2021-02-25 14:28:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc1d771f-324b-459f-9dac-abaa0c9e77c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119251/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.9301.29235.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/618822
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 07:33:35 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iafrx5ghcopx34rhjdlcplvxpco5icnoiy5a7d5x235cimdf2faa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0007311d7ccdb22d05e828edd39abec574f7f18b6f7ad9262acd1e76a6f4b7de
AgentTesla
13207816457e33a0430e6da6d1ab86d9797f9c2895a7491c142b5b8bfee3bb0d
AgentTesla
1b467c02c56a9130e3fb9e62e0ee62aa6b950845c9858f95656e659b814699c3
AgentTesla
2e525c09344f83f1f77d92e492a3fe75158e5424dcc22be92a45870168275879
AgentTesla
3bde2ad937153d68a084a34cd460817a4989d1e461b4d5ceb4ba2288cc230d1f
AgentTesla
566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
AgentTesla
67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
AgentTesla
7b4b43d22be88ed3b2054ef7090ebb7b44ecc03dffa6c32e578002c9a12cbea8
AgentTesla
d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c
AgentTesla
f408fd39d1ec47e7ba56e85ac76e167b2cb000acde2643ec8f36c571fcc1842f
AgentTesla
+ 2'901 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210225-s7tahsklc2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140
MD5 hash:
0f3ca465173914c361362a754a6bf65e
SHA1 hash:
46dded33d12784afe77619a20ee65d1939f881b0
Link:
https://www.unpac.me/results/77588a34-a72b-4373-80ce-976dc43d92e4/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119251/

Comments