MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47139213a397f6d1168b1b66dbbd6c5d5c31fc8c4bf792368327e2f6293f5f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47139213a397f6d1168b1b66dbbd6c5d5c31fc8c4bf792368327e2f6293f5f78
SHA3-384 hash: 50508f8fe13fedfdc4f0cc19485fabd44f1375303e38df1cbee17dd4985d9412d51c1148db905bf6fa22a63bb5c99b91
SHA1 hash: e9ae474b44405b698ff0f201d9d2e7148caca223
MD5 hash: d6ac6764369ce30b9eb8baf85a105d93
humanhash: single-quiet-angel-maine
File name:Purchase_26012021_003429.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:904'192 bytes
First seen:2021-01-28 16:29:42 UTC
Last seen:2021-01-29 07:36:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:c2vHl0+b6iHKSL/39hx9V/m9fnXcsobiR9Dnsnup+mM7b:c2tMiHKu/39H9V/mlXodup+
Threatray 4 similar samples on MalwareBazaar
TLSH 9215D7083ED3665538FCD1F0C96CAF4A703CFBB59258EC59C91A142F267B21A64E7CA1
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase_26012021_003429.exe
Verdict:
Malicious activity
Analysis date:
2021-01-28 16:32:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5dbf8237-fa51-4112-941c-8a68ccf6acab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114636/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6816.24539.15521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Enabling the 'hidden' option for files in the %temp% directory
Deleting a recently created file
Replacing files
Creating a window
Setting a keyboard event handler
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/593120
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47139213a397f6d1168b1b66dbbd6c5d5c31fc8c4bf792368327e2f6293f5f78/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-28 00:56:19 UTC
File Type:
PE (.Net Exe)
AV detection:
18 of 29 (62.07%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4jzee5ds73ncfuldntnxplmlvodd7emjp3zenude7rpmkj7l54a._file
Verdict:
malicious
Similar samples:
2d2c26b0f3308bda9e00913401761b8b5026edccfbe12bce7a72cd2d324c2f45
AgentTesla
ae4aeb52c724cd8c68efe1835558b174b388f7219a467ddb016089ebab4ce695
AgentTesla
cdd026138671e26fdeaa513f4ee4df1b14162219fcd4e0d40ea50d7b122495b7
AgentTesla
e35a50f47b419c4b83085bc741e412c95fdf860baa0f5ed666b3b6189a9fd5d5
AgentTesla
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/210128-sa72jdvt1j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c7fb025a4ba81baa603eef2211c1ca85841b2941515e721ce222bd3238f22c84
MD5 hash:
d7708d819fcbd894239a81169c6ad0ac
SHA1 hash:
ad46a090afae357c235c61dbb661b2590e26a24e
Link:
https://www.unpac.me/results/ec0bd2bd-04f6-4826-9324-64043e864f9e/
SH256 hash:
7781d4bbb9abb32775335b91e748bd44fda425a5960a9d31d91c17eb9d3dbf78
MD5 hash:
aa9c426bb961869495060cac33694bfc
SHA1 hash:
887a9957751226772cd8f03ea178b6d7fc384ef4
Link:
https://www.unpac.me/results/ec0bd2bd-04f6-4826-9324-64043e864f9e/
SH256 hash:
47139213a397f6d1168b1b66dbbd6c5d5c31fc8c4bf792368327e2f6293f5f78
MD5 hash:
d6ac6764369ce30b9eb8baf85a105d93
SHA1 hash:
e9ae474b44405b698ff0f201d9d2e7148caca223
Link:
https://www.unpac.me/results/ec0bd2bd-04f6-4826-9324-64043e864f9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/47139213a397f6d1168b1b66dbbd6c5d5c31fc8c4bf792368327e2f6293f5f78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz c0d1af4950b79e0ebdf73032fa8928c6640e3e0b94d4f2225d892e086ce93d23

AgentTesla

Executable exe 47139213a397f6d1168b1b66dbbd6c5d5c31fc8c4bf792368327e2f6293f5f78

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c0d1af4950b79e0ebdf73032fa8928c6640e3e0b94d4f2225d892e086ce93d23
Cape
Cape
https://www.capesandbox.com/analysis/114636/

Comments