MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16
SHA3-384 hash: 37b7209421b086d1b778c63d2ea0b08ae9eb6ba4e137eb226f06b02f3857a236c7ebc392f00ee003567e9d93ebc8cd13
SHA1 hash: b8d335706c64166c1cc7f75331b181b91f1f0959
MD5 hash: 26ec2afceae8840f6c3af0a91f7ec637
humanhash: harry-magazine-illinois-mirror
File name:INV STATMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:343'917 bytes
First seen:2021-03-01 11:06:35 UTC
Last seen:2021-03-10 03:16:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:x9X0G3JgL/RiwNKiDA7DOJVKXc/77yIpFZ46bxIyVEGv/AOG5v8vt0BaFp8T:n0CJgbRDNnDA+kY77y2FjxrJwO+qt8ac
Threatray 3'189 similar samples on MalwareBazaar
TLSH 5B74232B0708D0F7CDD271312EB596245ED2E39A14651F8F6BB40D4CB92258B9E3E6A2
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
15
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV STATMENT.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 11:09:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/515ac4de-1d71-4338-bf78-a14970924498

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120201/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/622013
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 10:45:34 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsqirrzpgc7vtjb3nwrfodee6a6jvbpnz22jyss7yqdv2zzsbyla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
50737e711d6a55fe1c6e2289526e2d970a263ab033d93015b52a9fd2e3c5df58
AgentTesla
5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae
AgentTesla
a65c812000900485065a8a2d13fed88aeb45077d8bd14424fe4a3a363e147e14
AgentTesla
c20cdceb9065b28f9e80f21bf214d1eac74d40960f0bc9e4226d55e0ef9dfe61
AgentTesla
c688354e137fcaca21a335e36a8bd8d72862cda728a5bb69c08350d499e9c9c5
AgentTesla
d5269c737f5691eab59bcc8c6ba21a4ad0244e37d87c2fae38543ad15aa6707f
AgentTesla
dc8b8addeb256bdfb0eb82d09b54b57400deed315a727e331fe66ca59c965373
AgentTesla
e640dcc83b88144d234670a8ce722aada3b3472ad0892e884c9d8b6cf460af1d
AgentTesla
e9bd86ab3129da3447a70bac66feb2f90f7829e5b4595cff15a31a45b1cf82f7
AgentTesla
eda77a2a6a764257be0cc3de5d0d316cf149e28912804bda421607d6c8657f4a
AgentTesla
+ 3'179 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210301-5w6f27dw62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16
MD5 hash:
26ec2afceae8840f6c3af0a91f7ec637
SHA1 hash:
b8d335706c64166c1cc7f75331b181b91f1f0959
Link:
https://www.unpac.me/results/219c97d1-159d-484b-82e0-d08bcd5b9f85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 77f2dffa790392628baaab89990567cae7d82a60ebb0a12f15db0e04f6ee63af

AgentTesla

Executable exe 4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16

(this sample)

  
Dropped by
MD5 6b81a9ee60c862f098ae4536a52948c7
  
Dropped by
SHA256 77f2dffa790392628baaab89990567cae7d82a60ebb0a12f15db0e04f6ee63af
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120201/

Comments