MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57e26a2814ba37cbeb74f1df6ff7c4b4190f67e15d163468874fa400179725af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57e26a2814ba37cbeb74f1df6ff7c4b4190f67e15d163468874fa400179725af
SHA3-384 hash: f2b0a1969b2f14f1f1c72fc6b8fa8a2c7113f5694de0b1021b00c156a49dfb102b90da82182568ea6afe7774ef3cecee
SHA1 hash: 2ab1b0098a7653addd77fa662ed75fc42d213ff4
MD5 hash: f8e241fffb35dd312f28c4c52ba53278
humanhash: orange-happy-may-iowa
File name:UNPIAD INVOICES.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:238'080 bytes
First seen:2020-11-06 07:09:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:KO92x/WO+euZymCe6c0xQlUK4RNPjXjOn:Ko2x+OW5/670x4bf
Threatray 19 similar samples on MalwareBazaar
TLSH FE3412531FF5C97ACFE70B79F552C96503A588C04703EADB6EC56282CE89720E19272A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: walmailout01.yourhostingaccount.com
Sending IP: 65.254.253.91
From: corp.comm@verga.biz
Subject: Unpaid Invoices
Attachment: UNPIAD INVOICES.R00 (contains "UNPIAD INVOICES.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-9786346-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/522179
Signature
Allocates many large memory junks
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57e26a2814ba37cbeb74f1df6ff7c4b4190f67e15d163468874fa400179725af/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 08:24:01 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7rgukauxi34x23u6hpw756ewqmq6z7bluldi2ehj6saaf4xewxq._file
Verdict:
malicious
Similar samples:
48731a407c161307c2725f94644a1ac4f1fe9ee7b08e83d13eadb629aa434052
AgentTesla
53bb35cd1c6826740163ec12734198379bbaf8a493aa47f4cc13abdb016295a3
AgentTesla
596b8f738a91b94ef3993e14dde4064f7062dda49fc12926601b20637e1cbc6e
AgentTesla
75f5c64ae4b1a79ee9b6e1eb8f6d7e739aae409f7ab346fe6e3fa7dcc7e69789
AgentTesla
aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240
AgentTesla
c2f1ec82febf0068c88740b94b858d400c40bc8bf1b368bc7c8920c138947b7b
AgentTesla
c898674319f4b52046ad9c08f72ea819777681ed98db54030f43d812b9690c59
AgentTesla
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
AgentTesla
ef91cdf4d2ae2a3dd427b89bf9a2e057ec1f6308aba537b7d808e999bb9815f8
AgentTesla
f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8
AgentTesla
+ 9 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201106-egy9s9d13e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
57e26a2814ba37cbeb74f1df6ff7c4b4190f67e15d163468874fa400179725af
MD5 hash:
f8e241fffb35dd312f28c4c52ba53278
SHA1 hash:
2ab1b0098a7653addd77fa662ed75fc42d213ff4
Link:
https://www.unpac.me/results/35e5f34e-78e2-409a-a977-e04efa976df1/
SH256 hash:
22452ef92b52d79c27832e6137ef04dde287647c7c11f29992b9dc5e58350227
MD5 hash:
f360b880f2de4d793096ea2adf327e00
SHA1 hash:
7599956a33f960389b127ff73b192ffa899694ce
Link:
https://www.unpac.me/results/35e5f34e-78e2-409a-a977-e04efa976df1/
SH256 hash:
19a2118bd44d825662d246562acddcb9a13aca30f0393eb6a1609fa2a833b471
MD5 hash:
404d50dbe31c75f6059a45a653a21ac5
SHA1 hash:
bde2e46a5e4134ce8aa11a33808ea18077616a1a
Link:
https://www.unpac.me/results/35e5f34e-78e2-409a-a977-e04efa976df1/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 a924e3fdcad5b585878b7959b8dd13f134d64e55491cc4334a947b4f2f039b6e

AgentTesla

Executable exe 57e26a2814ba37cbeb74f1df6ff7c4b4190f67e15d163468874fa400179725af

(this sample)

  
Dropped by
MD5 910b8b671c891cb01e16d7f493c341c2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a924e3fdcad5b585878b7959b8dd13f134d64e55491cc4334a947b4f2f039b6e

Comments