MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49c588e26e3d49fb126a3d683370820817111f53f145e7e294b223745a18a0f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49c588e26e3d49fb126a3d683370820817111f53f145e7e294b223745a18a0f7
SHA3-384 hash: 52f1fc629ad170f0558dae8a31107ffab9da071069a48795276aa464c9cbd91d42de799a805d056ed4d28cb8ba1f4a9d
SHA1 hash: 34aabfb2528c2ac5c2e6627899c9cfec3363ea6c
MD5 hash: 45b95fef12379d805b41e2f01b02c07e
humanhash: april-two-xray-indigo
File name:PO# 4300000379.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'108'992 bytes
First seen:2020-10-12 05:56:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:cWiqpgS/cTLOsu+JQMivj3xpPlCbrNAs1O7BU4w9/Rq32d1q:PgTauJQRvD83VOlWfqL
TLSH 3F35E0C2E98955A4DC49AB716A37CD3482237DEEA934942C28DE3D273FFB2D35026153
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: tassgroup.com
Sending IP: 103.99.1.146
From: PURCHASE DEP<vsb@tassgroup.com>
Subject: Re: Invoice & Packing List
Attachment: PO 4300000379.zip (contains "PO# 4300000379.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69918/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487947
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49c588e26e3d49fb126a3d683370820817111f53f145e7e294b223745a18a0f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 01:02:58 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhcyrytohve7wetkhvudg4ecbalrch2t6fc6pyuuwirxiwqyud3q._file
Verdict:
unknown
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201012-3fchmez84n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
49c588e26e3d49fb126a3d683370820817111f53f145e7e294b223745a18a0f7
MD5 hash:
45b95fef12379d805b41e2f01b02c07e
SHA1 hash:
34aabfb2528c2ac5c2e6627899c9cfec3363ea6c
Link:
https://www.unpac.me/results/7fd33700-0184-4ac6-b0ea-cee84ce8800d/
SH256 hash:
97c7cfc4cede595f3a05bf557a7b67b21d318318370052db3b7987775b54af46
MD5 hash:
f1588aef553176dd557e8c1023cddb43
SHA1 hash:
5b8ef7efc6c52a7363742fa10d862170c625516e
Link:
https://www.unpac.me/results/7fd33700-0184-4ac6-b0ea-cee84ce8800d/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/7fd33700-0184-4ac6-b0ea-cee84ce8800d/
SH256 hash:
6fea87be5ed2e2931555b560b5e132c3d4238dbc51203e91d553248c150b9f80
MD5 hash:
1dd80124e1833375a58a263f8af5714a
SHA1 hash:
b43194c951f5b932d5bc520661f9a9f4840a4014
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/7fd33700-0184-4ac6-b0ea-cee84ce8800d/
Parent samples :
49c588e26e3d49fb126a3d683370820817111f53f145e7e294b223745a18a0f7
555aeb6d9c6d4c69aea5e57bcfcc5e68313c95f03e1f2b79d68251d4ce066bba
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/49c588e26e3d49fb126a3d683370820817111f53f145e7e294b223745a18a0f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 95fa4b042c5edb3c62969857658b8a86a710c0ab1c1b10a676aa7ab3cb2f3ceb

AgentTesla

Executable exe 49c588e26e3d49fb126a3d683370820817111f53f145e7e294b223745a18a0f7

(this sample)

  
Dropped by
MD5 69e21d188c679bde51c9498169d1a19f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69918/
  
Dropped by
SHA256 95fa4b042c5edb3c62969857658b8a86a710c0ab1c1b10a676aa7ab3cb2f3ceb

Comments