MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
SHA3-384 hash: 22337555bee3eca344f5570042d3127b20016b7d45cb6bacaf8025a003045ac7c73f341ec354adc42165010b2fb52667
SHA1 hash: f1bcd1873038b174cf8a61c12884896ea1945a44
MD5 hash: 2430eaa4761c29d84d9bc139a10b8503
humanhash: happy-nine-hot-early
File name:Order 17034 PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'326'080 bytes
First seen:2020-10-06 05:40:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:RSpErgr8xVkiHIaOUi512fWql2G+7RfFl2WPmbk:Rdgr/7HUbIPbV
Threatray 19 similar samples on MalwareBazaar
TLSH 6455CF0196B8CE26E131903B9222F0785F7D8D815A44F6952DD6BCBFFEFEE44A4D0249
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sitemastersupplies.co.uk
Sending IP: 172.93.165.152
From: Sitemaster Supplies Ltd <distributors@sitemastersupplies.co.uk>
Subject: Provisional Order Inquiry.
Attachment: Order 17034 PDF.zip (contains "Order 17034 PDF.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68398/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482275
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293575 Sample: Order 17034 PDF.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Antivirus detection for dropped file 2->58 60 14 other signatures 2->60 7 Order 17034 PDF.exe 15 4 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2 2->14         started        16 8 other processes 2->16 process3 dnsIp4 44 flood-protection.org 85.187.154.178, 49709, 587 A2HOSTINGUS United States 7->44 46 mail.flood-protection.org 7->46 48 cdn.discordapp.com 162.159.129.233, 443, 49710 CLOUDFLARENETUS United States 7->48 42 C:\Users\user\AppData\Local\...\svchost.exe, PE32 7->42 dropped 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->70 72 Moves itself to temp directory 7->72 74 Tries to steal Mail credentials (via file access) 7->74 80 2 other signatures 7->80 18 svchost.exe 3 7->18         started        76 Injects a PE file into a foreign processes 12->76 21 svchost.exe 12->21         started        24 svchost.exe 12->24         started        26 svchost.exe 14->26         started        28 svchost.exe 14->28         started        30 svchost.exe 14->30         started        32 svchost.exe 14->32         started        50 127.0.0.1 unknown unknown 16->50 52 192.168.2.1 unknown unknown 16->52 78 Changes security center settings (notifications, updates, antivirus, firewall) 16->78 34 MpCmdRun.exe 16->34         started        file5 signatures6 process7 file8 62 Antivirus detection for dropped file 18->62 64 Multi AV Scanner detection for dropped file 18->64 66 Machine Learning detection for dropped file 18->66 68 2 other signatures 18->68 36 svchost.exe 1 2 18->36         started        40 C:\Users\user\AppData\Roaming\svchost.exe, PE32 21->40 dropped 38 conhost.exe 34->38         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 22:05:21 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqo2k26x4yoogu5wz5f6cuioismdizlcb6vwcmggjc5ztyk2wgia._file
Verdict:
unknown
Similar samples:
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
AgentTesla
194b26a2d9469d17c5ab27bbd41257758c3a4f7e20efd5388f3643f24c364b94
AgentTesla
28dba574a9ad10dba8fd5cfa0ff730d17ee892473afe13a8c205107cb64ef475
AgentTesla
510c68882ff2fed7d2045040f45c79980ebaa58c9c074d59390edc72c1bbca68
AgentTesla
7a4a073fb5cee4010e0c4a19d8dd6cdd65850b64c681410d5fb17751710cccaa
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
a4d9d550ca3484ea03ef418a476abd3d59c58a5cba9d7efe73b27c9177145b56
AgentTesla
a50b13f838ab5c3a87196d1b8896ad7e1bd4272c948d79bf3d4636ca4f8baba1
AgentTesla
c8ef5faf8bef2942260f56a7bfca916280711c776ee19bf00954ebdee11804ea
AgentTesla
d9c78a21a8344b6cc4768d7fa1b9ff128437267f1b7d1d29fccca4a5751d7ed6
AgentTesla
+ 9 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201006-a5998sldnj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
MD5 hash:
2430eaa4761c29d84d9bc139a10b8503
SHA1 hash:
f1bcd1873038b174cf8a61c12884896ea1945a44
Link:
https://www.unpac.me/results/0709f8f9-1b43-48e6-9d2d-d5f95d8a91cd/
SH256 hash:
2d120859cc41b394d1fbb862e7955922ff34c29a5378c1e69949ebe3baa2b2fe
MD5 hash:
50ee82ef71affec1f797ca5984ff3d7d
SHA1 hash:
0637fa651d0d80c6ca3f933b4cd17ba6814b82be
Link:
https://www.unpac.me/results/0709f8f9-1b43-48e6-9d2d-d5f95d8a91cd/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/0709f8f9-1b43-48e6-9d2d-d5f95d8a91cd/
SH256 hash:
fc35c62b175b3e9674643642f111cb7e95452d537e26483832fe25e25a4a64e0
MD5 hash:
baee64f4e4c058212983c6477a2fcb66
SHA1 hash:
a8ee0da9997694b7eade165dfcb02d1cb70b9df9
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/0709f8f9-1b43-48e6-9d2d-d5f95d8a91cd/
Parent samples :
441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24
SH256 hash:
4b1d1cead67851d209da485daefa784bff23b0eb7bcbb9c7df496fd58d2d1f42
MD5 hash:
216c670a67f5da968977d55c45f35d4d
SHA1 hash:
fb3fd3ab647d9cfd65b5c29abd7e6a97f709fb92
Link:
https://www.unpac.me/results/0709f8f9-1b43-48e6-9d2d-d5f95d8a91cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ff36709436923f3de127a7e85d624c20b000435894f643a5d0f5c157a9bc1aac

AgentTesla

Executable exe 441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190

(this sample)

  
Dropped by
MD5 0a8c396e7ab77fadd84edf0b07652d47
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68398/
  
Dropped by
SHA256 ff36709436923f3de127a7e85d624c20b000435894f643a5d0f5c157a9bc1aac

Comments