MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 490d077b95439b181a68d695fe8496653bf3dd42d6e4baef1e7132b550e278d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 490d077b95439b181a68d695fe8496653bf3dd42d6e4baef1e7132b550e278d4
SHA3-384 hash: 71b4423dc1857d72eddca0e760bb22da54bd0ea9eec402f8bff1f3ae9b95724d6771bc808b5e7dcd83add77adec69ee5
SHA1 hash: b090ad4a9abdd606d18e40158a11e45a0dea5cfd
MD5 hash: 5d5dcad5e3ef755eed717765ec4f9640
humanhash: july-red-december-winner
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'901'504 bytes
First seen:2020-11-20 07:46:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:sxlZKf+G0y7M15+JYK9PR2L8xXoTcm/hmphjG+xAOXaYmiVGwqN8OaRGdI/C6or:n7TRZvXoTZ0jGpO3GwKR/16or
Threatray 1'423 similar samples on MalwareBazaar
TLSH 3ED559583C83345F799A11B046D726E8A1F23558097127398CE768BCDA0EDAB7CDF872
Reporter abuse_ch
Tags:AgentTesla Endurance exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gproxy3-pub.mail.unifiedlayer.com
Sending IP: 69.89.30.42
From: bhavinshah@veerenergy.net
Subject: PURCHASE ORDER
Attachment: Purchase Order.exe

AgentTesla SMTP exfil server:
smtp.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/543964
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321082 Sample: Purchase Order.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 96 16 smtp.privateemail.com 2->16 18 nagano-19599.herokussl.com 2->18 20 3 other IPs or domains 2->20 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected AgentTesla 2->26 28 6 other signatures 2->28 7 Purchase Order.exe 2 2->7         started        signatures3 process4 signatures5 30 Hides threads from debuggers 7->30 32 Injects a PE file into a foreign processes 7->32 10 Purchase Order.exe 2 7->10         started        12 WerFault.exe 23 11 7->12         started        14 Purchase Order.exe 7->14         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/490d077b95439b181a68d695fe8496653bf3dd42d6e4baef1e7132b550e278d4/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 03:19:16 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jegqo64vionrqgti22k75bewmu57hxkc23slv3y6oezlkuhcpdka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1228ba2604d0a579845a1dfdc24e4923c184e1295d2af972063d76d64b33ef99
AgentTesla
1a6a3ac02a5a13f30791093a6a47dc9aef9f4de415446a81f711975e85884044
AgentTesla
24098778dca36a5ff9aa4ce38ab0bd9cdecfd3a8dc3f563e694111003d6f7827
AgentTesla
4ed26280f05b2a930b2439cc4e853cf11c6df47f6654cd0a0a6662df85d7e230
AgentTesla
5825a5314c16572842efbbd60be63080616693d2aee66a379f70c54c09e2ee94
AgentTesla
69802a718d5caaf3e8c9e319eb703dcfa34971d9f79f9b8135b722a0cf12c74b
AgentTesla
6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58
AgentTesla
b038873608088e7d9f054df77e88fa0b9ada18062e5977f57b5278755735cb73
AgentTesla
bd7bc6f7691334319750e484ab95397c67b973ec0c0efd25c1227c4328630b28
AgentTesla
c1e775844ae65d163fef7ec92e2d48ab4fd36ec5412999a5cba1c85ef0edd105
AgentTesla
+ 1'413 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201120-2rl2rfa22x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
490d077b95439b181a68d695fe8496653bf3dd42d6e4baef1e7132b550e278d4
MD5 hash:
5d5dcad5e3ef755eed717765ec4f9640
SHA1 hash:
b090ad4a9abdd606d18e40158a11e45a0dea5cfd
Link:
https://www.unpac.me/results/0c19392f-9d3c-43a4-bc59-913d984a2799/
SH256 hash:
dc8b2f2369d33678ced2be8a5e4ffb9c04b18bee73b9f19a43a7ac69d2bef079
MD5 hash:
f33099352ae18079a1d5c64b6783ff8d
SHA1 hash:
332cb9f0eda6c5ecda75ad2a2d6515448ed78c91
Link:
https://www.unpac.me/results/0c19392f-9d3c-43a4-bc59-913d984a2799/
SH256 hash:
8b11468aa4eac87e79dfb705e6454bece62feb2165b026ebeb98ad51c6546761
MD5 hash:
563c74a14c6b88353b6dd384e2f6c95c
SHA1 hash:
79d25c5c65a3ec926c9700df9687bdefb5d742d5
Link:
https://www.unpac.me/results/0c19392f-9d3c-43a4-bc59-913d984a2799/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 490d077b95439b181a68d695fe8496653bf3dd42d6e4baef1e7132b550e278d4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments