MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4932e6c3a579b6b1659ede9cd2f89ecd6a76d3db1a42d53853fed8cef2cfb0d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4932e6c3a579b6b1659ede9cd2f89ecd6a76d3db1a42d53853fed8cef2cfb0d1
SHA3-384 hash: d863d3d1782d33225af7c252580c48bf3641302daa31c02c842350e200cce22e552c56b5ce9bb848bfd73d0ede3d48bb
SHA1 hash: 2063592b016ac90f5b32ac1de54ec0fd0fde6f05
MD5 hash: d2a48ab793be0fb5193b18561e76cf2b
humanhash: maryland-saturn-october-uniform
File name:SCAD PURCHASE ORDER 036-202_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:416'059 bytes
First seen:2021-05-19 13:12:04 UTC
Last seen:2021-05-19 15:03:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:JsFfBhiBKg3Nc8b+W9uFKULnqLml+eK2Z0JMJ53/bnhB1zERL174:QfGcEFu/rWbxMJ53Tnj1zERJc
Threatray 5'642 similar samples on MalwareBazaar
TLSH C994CF82AA80C051DC3E5BB0E43E8DF4566B7D6AE874A15F2F597F2936B30E3153214E
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SCAD PURCHASE ORDER 036-202_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-05-19 13:51:55 UTC
Tags:
installer
Link:
https://app.any.run/tasks/7fe4535b-a0ae-46fb-9cb2-634a951a135b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/158608/
Detection(s):
PUA.Win.Trojan.Casino-141
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785041
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 417443 Sample: SCAD PURCHASE ORDER 036-202... Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 29 mail.alandalustobacco.com 2->29 31 alandalustobacco.com 2->31 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Detected unpacking (changes PE section rights) 2->49 51 9 other signatures 2->51 7 SCAD PURCHASE ORDER 036-202_pdf.exe 1 23 2->7         started        11 fupsnr.exe 18 2->11         started        13 fupsnr.exe 9 2->13         started        signatures3 process4 file5 21 C:\Users\user\AppData\Roaming\...\fupsnr.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\...\System.dll, PE32 7->23 dropped 53 Maps a DLL or memory area into another process 7->53 15 SCAD PURCHASE ORDER 036-202_pdf.exe 2 7->15         started        25 C:\Users\user\AppData\...\wubanhqyixqsga, DOS 11->25 dropped 27 C:\Users\user\AppData\Local\...\System.dll, PE32 11->27 dropped 55 Multi AV Scanner detection for dropped file 11->55 57 Detected unpacking (changes PE section rights) 11->57 59 Detected unpacking (overwrites its own PE header) 11->59 61 2 other signatures 11->61 19 fupsnr.exe 2 11->19         started        signatures6 process7 dnsIp8 33 alandalustobacco.com 154.16.116.113, 49766, 49767, 587 AS-COLOCROSSINGUS South Africa 15->33 35 mail.alandalustobacco.com 15->35 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->37 39 Tries to steal Mail credentials (via file access) 15->39 41 Tries to harvest and steal ftp login credentials 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4932e6c3a579b6b1659ede9cd2f89ecd6a76d3db1a42d53853fed8cef2cfb0d1/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 10:19:25 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jezonq5fpg3lczm632onf6e6zvvhnu63djbnkoct73mm54wpwdiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f69e45987ceaa32367537a7d745cde7cacdee5385e157d19a4799dde8dbf5ac
AgentTesla
166702605a44a92ba3455897f14c5f2708158d5e5d32370c35c56372ac8b5422
AgentTesla
313c25e0c0344b4de6862f596d63976684b68321e133bb7dc7ffc7b5e311f6a0
AgentTesla
39e51eaed3555fc629fcf1e0d980aff64a7fc52cec11ba53c53085495f81e8c4
AgentTesla
78af4e9c1f31817ce195cd77aea8659a75148c5a302b35e9c17f2ff93a696a0c
AgentTesla
7c3d54c847083ffc958bb52818010560aed26dc24a67f6ada0cd5da75136e245
AgentTesla
9122c256e01d8489721f5a124686ad014bb32fb9d058dc74d966d36381fe01c8
AgentTesla
99c823dce3f531e2a4d5c7ac84b74bb630cb344f281519927d4c202c8bac1720
AgentTesla
9dcb5615cab6dce7e207154373d26fd762cb5db990a22dde9b3f301d82aacd6b
AgentTesla
cd21f313637dcce24e8ca5cb45937fcbaeade384bb435e215e6abcee06e44757
AgentTesla
+ 5'632 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210519-qge7kjmgmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/158608/

Comments