MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e
SHA3-384 hash: 081f0d261693dd27e4e4f28523cd6beb1185755cb9ef8ffc691f9d242dfd8bab705190933a54a350dc0c88eb03454004
SHA1 hash: 4f6be67a8d28578ae178796d732deec30b7cd587
MD5 hash: e4797ea53973363a3411d0c4bc6abc22
humanhash: speaker-finch-robert-ten
File name:Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:727'040 bytes
First seen:2021-01-06 07:39:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:xGZroYTVKf0dLeEI+7xzu20BUStywnbrX9Svh2xG:xGZrokKf01NxzN6lIyG
Threatray 2'075 similar samples on MalwareBazaar
TLSH FAF49D1377F99640F1BA2B349AB0443197F2FC469A2EC17D68D9704D08F1A80A9B97F7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx07.podernet.net
Sending IP: 169.57.120.171
From: Banorte en su Empresa <calidad@aecatepec.com.mx>
Subject: RE: Invoice Packing List
Attachment: Invoice.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:41:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04e77156-a3b4-45fc-8efe-859e055786df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110689/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574889
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-06 00:39:18 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=is2ugo3jvnimund3vjoasdjxz57djbjg6afvj7gvmekes4ps7zha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0158b790a1604fc90e7c01c81f7851fb1a86f9e9d01de234b5134b763039707a
AgentTesla
701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671
AgentTesla
7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c
AgentTesla
81274d23515440feac07a591db64f946640ab3a4350bbfaa0d955ced83175fb0
AgentTesla
84040132d504dbc295119c29d7a8262392bf09caca8ede8236a26e2cab0ace6e
AgentTesla
98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
AgentTesla
abd3a1a0ccfcc5e723e8b022e2dc025c617b94da33136673be439819a5160d6e
AgentTesla
aeb1aab3be5b90cb85bfe28f0e092c83fee4a742a9cda7b0d8a6e464e6fa7342
AgentTesla
ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b
AgentTesla
deb5aeda39ad04b441ddbca22caa3a35e572483cc56e6a095b951342e716d6f6
AgentTesla
+ 2'065 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/210106-zkz188w2e2/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
ServiceHost packer
Unpacked files
SH256 hash:
44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e
MD5 hash:
e4797ea53973363a3411d0c4bc6abc22
SHA1 hash:
4f6be67a8d28578ae178796d732deec30b7cd587
Link:
https://www.unpac.me/results/239e6c63-4464-463a-8dc1-95c4eccef7f4/
SH256 hash:
0759e55dae527464c28d1b84eb6ad517dc9faf34a5ad10d55f652cb410a28f21
MD5 hash:
0ec82c5999a9391b7628d336f567b104
SHA1 hash:
0bd5978b480d87c0227a4bc7d12a761ae870d1aa
Link:
https://www.unpac.me/results/239e6c63-4464-463a-8dc1-95c4eccef7f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Starter
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110689/

Comments