MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5
SHA3-384 hash: f6a51b19d2e18c39a967c0799dcb2ac498c3b1046e436ae398a7be0909d5b8db39fcdb56c2025bb57b9d2938edf4d196
SHA1 hash: 96c1cbf36bb1cafea08b79c2e30a3248f383139c
MD5 hash: d20f15c141e99a4921b2492fae8d5442
humanhash: kansas-oregon-mike-fruit
File name:Shipment Details.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:10'999'472 bytes
First seen:2020-11-23 18:31:41 UTC
Last seen:2020-11-24 07:10:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:MgQWp81CQR8MLxybxVCzxe4A9iR8sBmz82hdra5v5AkOj/KM0LfhrRYgI9Ix7zJ6:381OcpBshuXpI63F
Threatray 1'453 similar samples on MalwareBazaar
TLSH 67B6A6467C227443247031B89DD616F56BCBA44E2438A91A78F75CADD21CEBB3C7E272
Reporter cocaman
Tags:AgentTesla exe

Code Signing Certificate

Organisation:Bbdeacbdaafdebcbdfcefbfadcded
Issuer:Bbdeacbdaafdebcbdfcefbfadcded
Algorithm:sha256WithRSAEncryption
Valid from:Nov 23 16:34:40 2020 GMT
Valid to:Nov 23 16:34:40 2021 GMT
Serial number: C9507015B8B21AE12E657E6C62D1396E
Thumbprint Algorithm:SHA256
Thumbprint: 0CA7DBE974E607B098751E9836B154BE6B5D29345FD97FC8F110A30D82E7605C
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545443
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321815 Sample: Shipment Details.exe Startdate: 23/11/2020 Architecture: WINDOWS Score: 100 41 pastebin.com 2->41 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 6 other signatures 2->51 8 Shipment Details.exe 24 7 2->8         started        13 Shipment Details.exe 2->13         started        15 Shipment Details.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 43 pastebin.com 104.23.98.190, 443, 49708, 49710 CLOUDFLARENETUS United States 8->43 35 C:\Users\user\...\Shipment Details.exe, PE32 8->35 dropped 37 C:\...\Shipment Details.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\...\Shipment Details.exe.log, ASCII 8->39 dropped 53 Creates an undocumented autostart registry key 8->53 55 Creates autostart registry keys with suspicious names 8->55 57 Creates multiple autostart registry keys 8->57 59 2 other signatures 8->59 19 powershell.exe 12 8->19         started        21 powershell.exe 10 8->21         started        23 powershell.exe 8 8->23         started        25 2 other processes 8->25 file6 signatures7 process8 process9 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 18:32:09 UTC
File Type:
PE (.Net Exe)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kocetfldqjropfhoexnwotuvt4jds5pubw4dbjl4o4ksghxlptsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
3fd2c91007c4b1429d70710853232018e8da2528d375af5d64b79901254e52f0
AgentTesla
499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
d29642be607daa745b16691e95ff38c4da4c0a935caec464cd3beb27afc3cb8f
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
+ 1'443 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201123-rv62gaj4m2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
091a02da0a750f76b1ae6c91c6bcf7c54ec032313b7de0e0f7e13fc7f06f5ca0
MD5 hash:
f993af37a987d1eb2804c59b66fe20a2
SHA1 hash:
5e9bbc9ef4bbc2a9f0f48eeb65bba4dfdab82640
Link:
https://www.unpac.me/results/f5110ad2-d57a-4447-8e07-32b1c2fe230b/
SH256 hash:
f11e1058f15e78a5fd5f622c704562be6629b378a142126225b211bda4d207a8
MD5 hash:
2aa57093998021b63917c6918902b11a
SHA1 hash:
7bda5727a82fd7c5e28041283be1b176a4405d02
Link:
https://www.unpac.me/results/f5110ad2-d57a-4447-8e07-32b1c2fe230b/
SH256 hash:
53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5
MD5 hash:
d20f15c141e99a4921b2492fae8d5442
SHA1 hash:
96c1cbf36bb1cafea08b79c2e30a3248f383139c
Link:
https://www.unpac.me/results/f5110ad2-d57a-4447-8e07-32b1c2fe230b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace f1d9d4815a0f4ddd0ca63778d4fe75bde19236c67f06dab56760065c566558e6

AgentTesla

Executable exe 53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f1d9d4815a0f4ddd0ca63778d4fe75bde19236c67f06dab56760065c566558e6
Cape
Cape
https://www.capesandbox.com/analysis/105336/

Comments