MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e2839d62bbc8806ed562f452553c8b0ff2adad62b78ec0a68c79c19bdd8f7c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e2839d62bbc8806ed562f452553c8b0ff2adad62b78ec0a68c79c19bdd8f7c9
SHA3-384 hash: 46e0eb865ef5c255c9c33cc263503717e5d1360209d720c42accab8fbd100f745206b9fa61d74e51fea5f86c008fdb94
SHA1 hash: 1ae8b86ef841b4a458081b3fa325122a10a1ed10
MD5 hash: cd39d35a7089f69ffb0e9a47dbb17fdc
humanhash: mockingbird-three-juliet-kilo
File name:TNT Invoice 07833955.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:700'416 bytes
First seen:2021-08-08 15:15:41 UTC
Last seen:2021-08-08 16:01:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:2pbygiylZ2YT5qc2+8Hq4fxn9VnmFr/DHnH1QXgz/sQuOG3DGo/q:2VygiyrxNqQT4x9Ve7LzSOG3DGw
Threatray 8'026 similar samples on MalwareBazaar
TLSH T103E4BD2B1614422BF97CC13E6966424BF23CDFD2F8DDCA8AE9873519C5F1683278429D
dhash icon b2b6b2f4b09c80a0 (2 x AgentTesla, 1 x NanoCore)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.tkivna.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT_Invoice_07833955.zip
Verdict:
Malicious activity
Analysis date:
2021-08-08 06:25:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/306c06ee-12b9-4fb6-867a-83c3ffed14d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177241/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.988.3853.10327.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11a13ba1-35f6-479f-a658-aee69da4a1f9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828807
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e2839d62bbc8806ed562f452553c8b0ff2adad62b78ec0a68c79c19bdd8f7c9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 04:56:43 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyudtvrlxsean3kwf5csku6iwd7svwwwfn4oyctiy6obtpoy67eq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05a9b623cb12a105466b4b0ae0856813279588fafaac224a0b735842d2dcd5f3
AgentTesla
08ea7de7e8c4004fd90f219c0b58930c14071fc1b6ae8606321ff1afb5204ed4
AgentTesla
1bda01f0ea187a42b179d780e45f45e229caecdca515402f781df52bc8ca3420
AgentTesla
20307f9c8eb3da30dbf30172ebf4e810e44d527196d8c633cea1f10dd118b36b
AgentTesla
3303026871e51adf4ce267404c9728747f5a7077320264314fdd31bddfb5d9aa
AgentTesla
8855fafbd275b5d7c85a8106502c7a059f06622d8b418b596747cbbd44d37315
AgentTesla
c91236eb39a96048da112bb1076728a3b42c693f5b6b1484a503b7070a57dea9
AgentTesla
dd9113142fe95a5b0d389a920be3f978f452fe6e5b591e40b40b7a4e274d3b85
AgentTesla
e893fb5f7dccba1301b57ed560d08c2383f61d3c6760809743dd0f67870b7572
AgentTesla
ef493fe2688db7c97fd7e0af12bae0b42aeee9c1c7ccf241865e1cfa5cb50cac
AgentTesla
+ 8'016 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210808-x5f2jgwcge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
39dd811dce44131a94fa8f7f8d1f708063c280cf67edfa9510bc4082f7e085da
MD5 hash:
a37e8041e6f5f3abaaba28d2b2953d57
SHA1 hash:
ed1d08317e0eef7835dee99842653e50d954c023
Link:
https://www.unpac.me/results/35e76bc7-3e40-4d96-a600-2682b5d42114/
SH256 hash:
883fb3ab8c81e0543d57c73cad24b882a0b2358f8279377084520d9453f1a2f9
MD5 hash:
1335fd9fe9a55d096060e74e10e4346e
SHA1 hash:
bbbd7d262b641281acee1e0a7a738aaac982fd4e
Link:
https://www.unpac.me/results/35e76bc7-3e40-4d96-a600-2682b5d42114/
SH256 hash:
d910c2ecd1b3e43118a6a5173295106d9cb516b50f0d6ec170bd5a423f75b4d8
MD5 hash:
e8dd540bf68f3705f68813a332431f13
SHA1 hash:
1c7e443194177e9fc3529258ab78196b80087af9
Link:
https://www.unpac.me/results/35e76bc7-3e40-4d96-a600-2682b5d42114/
SH256 hash:
4e2839d62bbc8806ed562f452553c8b0ff2adad62b78ec0a68c79c19bdd8f7c9
MD5 hash:
cd39d35a7089f69ffb0e9a47dbb17fdc
SHA1 hash:
1ae8b86ef841b4a458081b3fa325122a10a1ed10
Link:
https://www.unpac.me/results/35e76bc7-3e40-4d96-a600-2682b5d42114/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e2839d62bbc8806ed562f452553c8b0ff2adad62b78ec0a68c79c19bdd8f7c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4e2839d62bbc8806ed562f452553c8b0ff2adad62b78ec0a68c79c19bdd8f7c9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177241/

Comments