MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71fb2874f7a7da6d0f0e528f0b0d2d98c74afe88d894ee6f29387ba3bb540c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71fb2874f7a7da6d0f0e528f0b0d2d98c74afe88d894ee6f29387ba3bb540c37
SHA3-384 hash: 56afb77a3ffe745f70111cc19dfdd17686612db8040b8b61089806a752d27399450437ed044d1578c1696eb4ee88dc1e
SHA1 hash: 4d148c714264c1fd68514071a086e923d5d4765d
MD5 hash: 9466fabf8c940c6839036727c32df8fe
humanhash: delaware-kansas-early-butter
File name:Document_BT24PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'417'216 bytes
First seen:2021-02-24 07:07:01 UTC
Last seen:2021-02-24 09:04:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qUIdDYr+cO/SIqAJ1M7s4nVYTlsIor1DA0VpnlLJ/d6/3MO31KFJqO3SJe6YFKyT:6XmeRhF8mSAmDF7M9fyNDdwr6A+j
Threatray 100 similar samples on MalwareBazaar
TLSH 746559412A64BE25F0BD9733A86854619BF9EC00E341C53EF9E97CAD5EA1FD2520F207
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.roelgroup.com
Sending IP: 5.2.206.95
From: Gabriel Dobrinoiu <gabriel.dobrinoiu@sara.com.ro>
Subject: FW: Document - Banca Transilvania
Attachment: Document_BT24PDF.iso (contains "Document_BT24PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document_BT24PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-24 07:19:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8319cf0-d4be-4984-a12a-4bc01a1a4756

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118880/
Detection(s):
SecuriteInfo.com.Trojan.Inject.8455.25064.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616218
Signature
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71fb2874f7a7da6d0f0e528f0b0d2d98c74afe88d894ee6f29387ba3bb540c37/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 07:05:12 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oh5sq5hxu7ng2dyokkhqwdjntdduv7ui3cko43zjhb52ho2ubq3q._file
Verdict:
malicious
Similar samples:
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
AgentTesla
4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
6cb469942c62201df016b93c2aecb28508c3594d60b385e654c3f7f9be1e5697
AgentTesla
6dda8584a5682afdc017e2e421619b02fc9f57a67de615332797b3e96981864d
AgentTesla
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
AgentTesla
9885e59ed40fe0dd7227188294b241c1c4d2d488c656c2409648efeeaf560d07
AgentTesla
988bbad8a48d5a66c06478290c947492ae662576793a26028d9a87fa652b84aa
AgentTesla
bd784854e186a0f43ecfba7babc1f16bf5e8b42d8674e8f7af4443cefc99e719
AgentTesla
c5f444d3e3808d7323e4beabeeb3fd254fc9b458157aea384873fd1dbc059e82
AgentTesla
+ 90 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/210224-rhq2vl4bnx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Unpacked files
SH256 hash:
68b716109ff4e18e21bd0acacb3796f7930771d19f6a766d7d3aa0bbde4ce7e0
MD5 hash:
a3d1d373062f59282307d4b9966d702b
SHA1 hash:
60c9c330e6ff63d3e0b3b0b700ac37bde5997ced
Link:
https://www.unpac.me/results/3a5a8600-1dce-4713-89f7-136e4ead40bc/
SH256 hash:
71fb2874f7a7da6d0f0e528f0b0d2d98c74afe88d894ee6f29387ba3bb540c37
MD5 hash:
9466fabf8c940c6839036727c32df8fe
SHA1 hash:
4d148c714264c1fd68514071a086e923d5d4765d
Link:
https://www.unpac.me/results/3a5a8600-1dce-4713-89f7-136e4ead40bc/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 47bb641370ceb54573bdb58a923b01291eb5fbae0d35c2bf91262609c77d332a

AgentTesla

Executable exe 71fb2874f7a7da6d0f0e528f0b0d2d98c74afe88d894ee6f29387ba3bb540c37

(this sample)

  
Dropped by
MD5 22b66237fde119a2694a7c40328c3ac1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 47bb641370ceb54573bdb58a923b01291eb5fbae0d35c2bf91262609c77d332a
Cape
Cape
https://www.capesandbox.com/analysis/118880/

Comments