MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 567002ac9269007c402603a401d076a9d0dfa7e576ad0fc5eb4072be3acb5fd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 567002ac9269007c402603a401d076a9d0dfa7e576ad0fc5eb4072be3acb5fd5
SHA3-384 hash: e6286fa89b3b5ea2f6dc533929b2dfb4d074f5e64c658853f7fbc10d1b490f64ec1f2f1c1fb0fa0683055230686b305c
SHA1 hash: 350f20296106a5bcc08b41c9b94400f862c27421
MD5 hash: 34db33828fd022b8c1de9da1cc60e133
humanhash: avocado-south-helium-burger
File name:INV#6534524.pif
Download: download sample
Signature AgentTesla
Create hunting rule
File size:339'456 bytes
First seen:2021-03-29 18:02:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:wudexvfIJVfSbts39i7ijAPs7TvSqUXAZB+YY4mgHWX+KhJehR:w2OvQJVfSxSimj1TvSqbz+YYVQ2Hbeh
Threatray 3'557 similar samples on MalwareBazaar
TLSH 557412C3E6A584F9ECA84632E9278D9063077D28D8A5FE3E908D716379738604177F83
Reporter abuse_ch
Tags:AgentTesla pif Telegram


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.h-email.net
Sending IP: 192.236.146.157
From: cheryl@aweonline.com
Reply-To: sales01-micargichina@mail.com
Subject: NEFT, Pick Up
Attachment: INV65345249.ISO (contains "INV#6534524.pif")

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV#6534524.pif
Verdict:
Suspicious activity
Analysis date:
2021-03-29 18:08:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8f9e072-b331-4317-a9f9-c78fa8387668

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127780/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24519.10452.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Changing the hosts file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/657398
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377627 Sample: INV#6534524.pif Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 7 other signatures 2->41 7 INV#6534524.exe 3 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\ytrt.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\Temp\maur1.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\...\MSBuild.exe, PE32 7->27 dropped 29 2 other malicious files 7->29 dropped 51 Creates an undocumented autostart registry key 7->51 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 57 Injects a PE file into a foreign processes 7->57 11 wscript.exe 1 7->11         started        13 MSBuild.exe 4 7->13         started        signatures5 process6 dnsIp7 17 maur1.exe 2 11->17         started        33 194.5.98.251, 4537, 49716, 49718 DANILENKODE Netherlands 13->33 31 C:\Users\user\AppData\Roaming\...\MSBuild.exe, PE32 13->31 dropped file8 process9 file10 21 C:\Windows\System32\drivers\etc\hosts, ASCII 17->21 dropped 43 Antivirus detection for dropped file 17->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->45 47 Tries to steal Mail credentials (via file access) 17->47 49 5 other signatures 17->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/567002ac9269007c402603a401d076a9d0dfa7e576ad0fc5eb4072be3acb5fd5/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-29 18:03:16 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzyaflesneahyqbgaosadudwvhin7j7fo2wq7rplibzl4owll7kq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0f15aec57a52535ae678c8b3e900a4e2bab105d1676eb097ebecde04914aee1d
AgentTesla
1eb70c33da7bd551957076bfeb9841fb48904bb9e75c205c3223248643ca05f7
AgentTesla
371793ef15c6e1d0b0ab0edf326d4ab60ba5ce8cf26676fcc1ebd6329a23e914
AgentTesla
7c49ac4366eb07c5e5a146356908ba9e2e7e1bb2630422821f93530f0e2ec2ed
AgentTesla
7cb81f0c2e9c2a5a5d9df01d7dc2fb0025a7d0ce1f9be9e32d86c2dc172cd4ba
AgentTesla
88d6342ccae8c8af4195bcb8c8d41230821ff2d1d5d559e074e240d903af840d
AgentTesla
c27155aba064aa455e563f7107232b9054480a144fcf7a95be062b38da27d7fd
AgentTesla
dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84
AgentTesla
e7d489df6c41d065986388f6673e9b179acf89d87acf58ca8a015d778a6c8dff
AgentTesla
feb639dabb33ddc8d08dc3065a7a869225419d52be2aa0ec247377607a426ef3
AgentTesla
+ 3'547 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210329-jmjnbpfz6x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument
Unpacked files
SH256 hash:
bd4555d2b59241303db939cc4f69502747de8c035aa86111efbc2dd330acf749
MD5 hash:
4d48e3bfb3d527fb22d9e94dd8f52564
SHA1 hash:
97f92c3c56981157c9b6efc514093ee79142e926
Link:
https://www.unpac.me/results/fd2ed133-8ad2-425e-bb55-1ecf622e449a/
SH256 hash:
b9c663e25605167e1add0ba38495fdb6342351ee8ef3734ae0605363a4e7b646
MD5 hash:
973dd84497f8a6c09a965683be99805d
SHA1 hash:
767b4aaea71da348c6217a0f6976cac39af7684d
Link:
https://www.unpac.me/results/fd2ed133-8ad2-425e-bb55-1ecf622e449a/
SH256 hash:
f8a72af39e3a0e4b632430a0611f247e9d60f23697628cb3b7d54d2c6b61779f
MD5 hash:
17bcdc22e72169c4aa2a9bde7a2deda1
SHA1 hash:
f6e43bce89d56f0f6ecc151453e379dd3f42ee03
Link:
https://www.unpac.me/results/fd2ed133-8ad2-425e-bb55-1ecf622e449a/
SH256 hash:
b83f33541f83020c3d00c65d0170199fd55a5cf5f48f64fb3653d3026cd5f4d4
MD5 hash:
02f11f9004d589c35c20e2385a2f8f37
SHA1 hash:
93506b353b29ee6d9ddd00dba84abd0eb248e570
Link:
https://www.unpac.me/results/fd2ed133-8ad2-425e-bb55-1ecf622e449a/
SH256 hash:
c811cdba946240b822edb90c07e988f13bbd251cc2b1190bb49a448b6681c9c2
MD5 hash:
6fe715f5f06909df5470b74c2408a258
SHA1 hash:
7d31f34c2f7cdfd4001ee5dec73aeab98b139892
Link:
https://www.unpac.me/results/fd2ed133-8ad2-425e-bb55-1ecf622e449a/
SH256 hash:
567002ac9269007c402603a401d076a9d0dfa7e576ad0fc5eb4072be3acb5fd5
MD5 hash:
34db33828fd022b8c1de9da1cc60e133
SHA1 hash:
350f20296106a5bcc08b41c9b94400f862c27421
Link:
https://www.unpac.me/results/fd2ed133-8ad2-425e-bb55-1ecf622e449a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/567002ac9269007c402603a401d076a9d0dfa7e576ad0fc5eb4072be3acb5fd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

0816805ad46a8586af252e2d0b1fff2f

AgentTesla

Executable exe 567002ac9269007c402603a401d076a9d0dfa7e576ad0fc5eb4072be3acb5fd5

(this sample)

  
Dropped by
MD5 0816805ad46a8586af252e2d0b1fff2f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127780/

Comments