MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c
SHA3-384 hash: 7de9d753d7eda74d1b66406d6d195a4d3310ed97b47e12ec7eb9d3efe8028d3a8efe30a7a2f98efafbf70d6f46c5cd9e
SHA1 hash: 857a40c459ab90952549ce75201c54481c49568a
MD5 hash: 8c7105396bbeea8616368d4cb2d05c58
humanhash: zebra-one-kilo-two
File name:PO #00092.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'143'296 bytes
First seen:2020-12-17 08:33:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZgRNlW77fF+diOQ0YGWzvrUemLOyCWslmy/jT+D9CrRKSKnY1TTbTI10RpElS/dx:eeE4rOYRbTI10F1dzf1l6W2tNk2B2m
Threatray 1'869 similar samples on MalwareBazaar
TLSH C2359E2436EA6759F037EBB956E47045CBFAF623B71AD4493C9103CB0622F40DE9163A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gyp.gr
Sending IP: 46.227.62.27
From: Paolo Valdes <paola.valdes@nidec.com>
Reply-To: jack.wang <jack.wang.maxmothes.cn@outlook.com>
Subject: New Customer Purchase Order Document(s)
Attachment: PO 00092.rar (contains "PO #00092.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565081
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 08:34:15 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=necjzokgk63raqbidruqnuqnmcsp4sfvyxwn6ibstahb5cmokuga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07599c2094171db70e00c3f917808769d676b406b7c6842ed75cfbe2186e044b
AgentTesla
0b55a1e1d624408e21aba91fc437c256dee64731ea9454700cc0f5448dd00f52
AgentTesla
0d03382dc9f8a0cbe7657da9f41c7ae26073bcebb74094468acd7cf31e546829
AgentTesla
242045c07ffb6427b046939045d9312f3beaa954ef3ec60316247f7dfdfbca3e
AgentTesla
91c38249ac49fe69a70d20e74b88c801c94fc63c1772f07e82e21fdcff268e8e
AgentTesla
94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b
AgentTesla
b8d0f5a88fd8d100cc6dc0f63e31c14c9fda07be97422b0ee2355cb73c14bd97
AgentTesla
d04ab5688b6093908786418a2767df4c7b0c99324fad4fba37036df9b7673e01
AgentTesla
e5d8c5c382b01a400205b1477e89b12f9eea14fdf10c5e4d31640954910661b6
AgentTesla
f64ecad45aae27f037e819a6adfaeebbdf0f769690a46a89a29d4f0da22b6cd4
AgentTesla
+ 1'859 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201217-s1d2sqe28s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c
MD5 hash:
8c7105396bbeea8616368d4cb2d05c58
SHA1 hash:
857a40c459ab90952549ce75201c54481c49568a
Link:
https://www.unpac.me/results/5a54bcb3-b4ff-4a74-a06e-21d7e83149d1/
SH256 hash:
d77895240e501cb96a05fec19751dc6965494307f51e96051e76117e662a1b87
MD5 hash:
5e7892627d1c792b096e6119374646c1
SHA1 hash:
448ed4cb7f61c0140a4da0bcef88ed4d123129cd
Link:
https://www.unpac.me/results/5a54bcb3-b4ff-4a74-a06e-21d7e83149d1/
SH256 hash:
d2a61e32312c4969af619b8cd66c8f270731e5b2c21afc63fcbcd6ff81d215ca
MD5 hash:
0b6b49bd2b30fe0e4be136aa41c568b6
SHA1 hash:
8655229c1cca31c39ad822bc2f3a377cba04f0ea
Link:
https://www.unpac.me/results/5a54bcb3-b4ff-4a74-a06e-21d7e83149d1/
SH256 hash:
3ca9cf478845d74c61a836a02908c7d26d5e0b2fb8d03f92bfe5ed4a8865527a
MD5 hash:
ccaf4c52861605afe12d4fb1f927ef32
SHA1 hash:
c8c52901e58187e7597c984fb893410e613d571b
Link:
https://www.unpac.me/results/5a54bcb3-b4ff-4a74-a06e-21d7e83149d1/
SH256 hash:
7f7067761f084f7428d8dcb5d261a0f00c24f7c9fe52183d99b4b9d5b9baca5b
MD5 hash:
56c475cbd474149aa12b1bc18e02ce0f
SHA1 hash:
d1b1255dff65baa21b517c313c884b55375461fa
Link:
https://www.unpac.me/results/5a54bcb3-b4ff-4a74-a06e-21d7e83149d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 9deefe89151fdfd464a9a89810c06ced7b94b865b31c1ccb76ec666b4b281361

AgentTesla

Executable exe 69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c

(this sample)

  
Dropped by
MD5 0771039fbc63e36c40b500d2b54a2686
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9deefe89151fdfd464a9a89810c06ced7b94b865b31c1ccb76ec666b4b281361

Comments