MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 597ee35e9d572906a3b65d2eac0eea6c90741754e580fd98744a50c55c605e3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 597ee35e9d572906a3b65d2eac0eea6c90741754e580fd98744a50c55c605e3e
SHA3-384 hash: f02f780ac7ad0f918951664b05e14048cd7c699b0d4867b686ee181457c7eaf3301fbfe09363261e9ee62218c9e8fb98
SHA1 hash: de7f4a7c4b529eb91e912fe003493a844ac93648
MD5 hash: 41ec4e98b59197a434f26d8309255332
humanhash: magazine-fanta-oregon-winter
File name:COMMERCIAL INVOICE BILL OF LADING ETC DOCX..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'059'336 bytes
First seen:2021-02-15 15:25:04 UTC
Last seen:2021-02-15 17:05:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:2NSKfEZTSrWjttxpaXqqOfXZFccMpTWLjHkS4kucJuXFxC0R97sR0X3JoKJqA/5k:/
Threatray 2'658 similar samples on MalwareBazaar
TLSH C3951D81DEE30DCAB763F6111FADD50AF8A3732B2FAB5917095899D361878509023F78
Reporter James_inthe_box
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:ĦŦΜᴠŘᴛŁᴠŇĐᴅĆʙΜsᴛ
Issuer:ĦŦΜᴠŘᴛŁᴠŇĐᴅĆʙΜsᴛ
Algorithm:sha256WithRSAEncryption
Valid from:2021-02-14T21:14:44Z
Valid to:2022-02-14T21:14:44Z
Serial number: f30ddeef602628e96fc7fdf39c1fa33a
Thumbprint Algorithm:SHA256
Thumbprint: e2a3c037d3aeed686d071909d13e2848697c8eb155a7ce2a528eb8659565f859
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
COMMERCIAL INVOICE BILL OF LADING ETC DOCX..exe
Verdict:
Malicious activity
Analysis date:
2021-02-15 15:27:03 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/c5f081ae-4378-4db7-a6e6-ee808adedafd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117170/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36347486.19875.6559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/608133
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353096 Sample: COMMERCIAL INVOICE BILL OF ... Startdate: 15/02/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 10 other signatures 2->38 7 COMMERCIAL INVOICE BILL OF LADING ETC DOCX..exe 3 2->7         started        10 WerFault.exe 2->10         started        process3 signatures4 40 Hides threads from debuggers 7->40 42 Injects a PE file into a foreign processes 7->42 12 COMMERCIAL INVOICE BILL OF LADING ETC DOCX..exe 2 7->12         started        16 cmd.exe 1 7->16         started        18 COMMERCIAL INVOICE BILL OF LADING ETC DOCX..exe 7->18         started        20 COMMERCIAL INVOICE BILL OF LADING ETC DOCX..exe 7->20         started        22 COMMERCIAL INVOICE BILL OF LADING ETC DOCX..exe 10->22 injected process5 dnsIp6 28 smtp.qualityfurniture-tz.com 12->28 30 us2.smtp.mailhostbox.com 208.91.199.224, 49767, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->30 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->44 46 Tries to steal Mail credentials (via file access) 12->46 48 Tries to harvest and steal ftp login credentials 12->48 50 2 other signatures 12->50 24 conhost.exe 16->24         started        26 timeout.exe 1 16->26         started        signatures7 process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/597ee35e9d572906a3b65d2eac0eea6c90741754e580fd98744a50c55c605e3e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-14 22:28:37 UTC
File Type:
PE (.Net Exe)
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lf7ogxu5k4uqni5wluxkydxknsihif2u4wap3gdujjimkxdaly7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
39f32ed0f76d63794bcaa528441a491c132a7c110deace155bd314566a09c90c
AgentTesla
420b0a14b0d994f9c1e2ee75a3bba5063f558a4bfbf22f8967c57de61912eff5
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
756b62870ec4d9a47422a73e78ae0021ede54b1399c93dbb3f014badb82b9905
AgentTesla
8095f23a25042bf761d123fc385093ff150114b0e3bad6a8bd9244791e0aa00f
AgentTesla
a0a9c7c2b43897573efcf43e75e0b36e26bb7cf1261791672e77fd7688aaa8c4
AgentTesla
b4a054c8b3781f276e07502c5cfd4064e2c0713f028ea5d94e0e4ed810036f01
AgentTesla
cbf9d4ef21092210f58ad0cbdd4753dbbf785387dd8f3001014672679196c65c
AgentTesla
d9f9b4cbf097f8f9e145b547f0725217016f5cdacbdf61e108f9e84981ce76f8
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
+ 2'648 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210215-6d5ga8g2vn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ffdd4245df3aadb3c8354debe290c8f88152eb45acb97a5cd32d9b4e60f4f74f
MD5 hash:
bf54f5dcc689dd8d86dd604132d86bd7
SHA1 hash:
e35e74dd26329c0668c85d8291c01bfd8081659a
Link:
https://www.unpac.me/results/db1ba23b-7270-40ad-9376-a9196ccb5f5a/
SH256 hash:
1c6c0678b3525080abbd003e0985c17b8f7038d1a0b5d885d23a8bdbb93b2cf4
MD5 hash:
6ff42dea64221612051ef76cd230ebb2
SHA1 hash:
5f0122721c700256eb58a97897793b255ddb125e
Link:
https://www.unpac.me/results/db1ba23b-7270-40ad-9376-a9196ccb5f5a/
SH256 hash:
597ee35e9d572906a3b65d2eac0eea6c90741754e580fd98744a50c55c605e3e
MD5 hash:
41ec4e98b59197a434f26d8309255332
SHA1 hash:
de7f4a7c4b529eb91e912fe003493a844ac93648
Link:
https://www.unpac.me/results/db1ba23b-7270-40ad-9376-a9196ccb5f5a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/597ee35e9d572906a3b65d2eac0eea6c90741754e580fd98744a50c55c605e3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/117170/

Comments