MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671
SHA3-384 hash: 2882bd75661f96f8c2ccdccec39138cd70068810e28941bc55f851993ac077ad22e8aa7e072d6ea546afee3016ab2995
SHA1 hash: 15d2a4031e5b267cffa905f67b441cb2cc667c23
MD5 hash: c576f125bb9e20097298d58c1f9fa96e
humanhash: emma-neptune-crazy-carolina
File name:Payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:666'112 bytes
First seen:2020-12-17 08:53:47 UTC
Last seen:2020-12-17 10:29:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gRxarjb0zkhP+wpIeHFbQ0GeBYk2CSH7PKclVAMyJ9FuDwqA25S4LwP6L:k6qkhPvVHtQ0GSYkNSH7jlC9nMfpmP6
Threatray 1'868 similar samples on MalwareBazaar
TLSH 0EE41239719C9B2BC95E87FC9161A00903B1667BFA83E70C8EC464EB19327C1CD59B5B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: spe5.ucebox.co.za
Sending IP: 197.242.152.133
From: HAVER NIAGARA GmbH <info@radiancebeautyhub.co.za>
Subject: Re : Payment
Attachment: Payment.rar (contains "Payment.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-17 09:12:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f9c5cd9-fc6b-4401-a7f9-8223eb701490

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.ArtemisC576F125BB9E.2405.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/565217
Signature
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331690 Sample: Payment.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 80 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected AgentTesla 2->24 26 Yara detected AntiVM_3 2->26 28 3 other signatures 2->28 7 Payment.exe 3 2->7         started        process3 file4 18 C:\Users\user\AppData\...\Payment.exe.log, ASCII 7->18 dropped 30 Injects a PE file into a foreign processes 7->30 11 Payment.exe 2 7->11         started        13 Payment.exe 7->13         started        signatures5 process6 process7 15 dw20.exe 22 6 11->15         started        file8 20 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->20 dropped
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 07:30:11 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oalaowl23q4zts3vnnpfebp6xl2gtdhcbi3ajzvnphsj37igazyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6
AgentTesla
0b0497a471a34be0ac2c4719719527d6a73b4a0ad0d7b8f43d9c9af5119ce9cd
AgentTesla
1b80f30f0ee26805d860b7443b35190a7a5c93e159585b4ebef9419fc98e1b04
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
AgentTesla
abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16
AgentTesla
e2b7ea3f36ee9c137c8b52e44c82965f11ccb6c61ad037402416b2c75a532a1e
AgentTesla
+ 1'858 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201217-yzlbachfys/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
fd1a73f5c5ea91dfe4c08dbf9cafa6d21d1057feac086c80d0d50cccf380340a
MD5 hash:
e141e1ddca5cafc691df718a8072aebe
SHA1 hash:
2f4a776b5d4ae12bdca71538f1e7b3c7d573ccc5
Link:
https://www.unpac.me/results/1d5f65c2-e40f-4eec-a255-f20101d53f33/
SH256 hash:
68c1cb6eb4b893698fe5ae104b415e9e780e0caed15f11178f78ac49d60366a1
MD5 hash:
6fe2a2f17bcd65de8ec5641d47375615
SHA1 hash:
990274f44244fbe7628eb4f47c3aee57ee0cda70
Link:
https://www.unpac.me/results/1d5f65c2-e40f-4eec-a255-f20101d53f33/
SH256 hash:
e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527
MD5 hash:
bf99ee5fbf42797bd1ade95b109d634c
SHA1 hash:
e02abfdbca94a24a36b47d49a28360b79aabd294
Link:
https://www.unpac.me/results/1d5f65c2-e40f-4eec-a255-f20101d53f33/
SH256 hash:
701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671
MD5 hash:
c576f125bb9e20097298d58c1f9fa96e
SHA1 hash:
15d2a4031e5b267cffa905f67b441cb2cc667c23
Link:
https://www.unpac.me/results/1d5f65c2-e40f-4eec-a255-f20101d53f33/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7bbb0e45876aee89183e85779be4bbf44fd6c12812d414174ceb6cfee4024a63

AgentTesla

Executable exe 701607597adc3999cb756b5e5205febaf4698ce20a3604e6ad79e49dfd060671

(this sample)

  
Dropped by
MD5 1c451e1aa1d26012650adb57f8d83519
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7bbb0e45876aee89183e85779be4bbf44fd6c12812d414174ceb6cfee4024a63

Comments