MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 682ce3faec5aee3ab19316ed585ae60d088cc69bb0dbfe4c089c6d1cade26de8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	682ce3faec5aee3ab19316ed585ae60d088cc69bb0dbfe4c089c6d1cade26de8
SHA3-384 hash:	8d914b5950317789aa5b1db46a0e37c24f477574470bc8c03d47cb67e873db76dfcf992898a07a0600f95780342d18da
SHA1 hash:	20c56ded4ff57c8a655f44e770e168ca617c37f6
MD5 hash:	5c1dfc41184e7e0c8beeb63cf8eb5684
humanhash:	enemy-december-ack-dakota
File name:	proforma invoice.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'089'024 bytes
First seen:	2021-05-06 05:31:09 UTC
Last seen:	2021-05-06 11:46:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:qeV0LxWPnvnoNZBJV7Iv5G/nfdBbtSwZU00EW+oaMLdvcH4KEA6uOr5/M:qeVf2Z/pIRE1jnZUmErKTWr5/
Threatray	4'531 similar samples on MalwareBazaar
TLSH	5D35AD2212989A24E17B63748466C13947F67E12E272C71D7EE97CDB3B336C0DA5B213
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/151292/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/713148

Signature

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/682ce3faec5aee3ab19316ed585ae60d088cc69bb0dbfe4c089c6d1cade26de8/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-06 01:17:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

4 of 47 (8.51%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nawoh6xmllxdvmmtc3wvqwxgbueizru3wdn74taitrwrzlpcnxua._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0a704fefc76e6ffc17e65f30ee849aac5a6d58429689d992952a0101656e44aa

AgentTesla

0eac914906ba0b33c1cded6a4675ca21afde0a74d587c06d16c9ed989836469e

AgentTesla

10043644a25b01c6dc14d1cb146c384eed12c345a951bb1573c6ac57ff2c03ec

AgentTesla

180688c5883698ccf8bb7114a6f5ba5f2433cbc6604ba785ddd102f2db89f9bd

AgentTesla

2e41f10abf73aaf4829958a9c1a8b1de6f3c50a14d6478d12c24802e99315110

AgentTesla

62a683343429ed214262e3462e897e21e3d74843687cdf559f8b464f13d7d119

AgentTesla

8ce43504e92c5aec18585e90f58c306650473d186ac3aeefc116a0a36d939cc3

AgentTesla

cd0c125345543bbf0661d72d5bef97a8d71b20e0acda32fa46c7fc71959b5b88

AgentTesla

f34b079e65a534e9e030e4717e97493ce7e64562a96ac2c29bb286f97b568d18

AgentTesla

+ 4'521 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210506-ynr7mhwn3a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/94d0fb7c-839e-4d0b-a9b5-5e65f03dc65b/

SH256 hash:

682ce3faec5aee3ab19316ed585ae60d088cc69bb0dbfe4c089c6d1cade26de8

MD5 hash:

5c1dfc41184e7e0c8beeb63cf8eb5684

SHA1 hash:

20c56ded4ff57c8a655f44e770e168ca617c37f6

Link:

https://www.unpac.me/results/94d0fb7c-839e-4d0b-a9b5-5e65f03dc65b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/682ce3faec5aee3ab19316ed585ae60d088cc69bb0dbfe4c089c6d1cade26de8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.