MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85
SHA3-384 hash: 6c0a7c68daee51f7e219621e7319cfdf80ee406257b00b5872591ff61de6c400b2c0047f204f7e9362914c938f89f650
SHA1 hash: 90a8ebb6a71a7b8462cfbf5ff7605bc66297c48e
MD5 hash: e5b3fc8e7c159b836046b6f657179929
humanhash: speaker-apart-delaware-uncle
File name:MANISA SILVANA - Spec.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:500'736 bytes
First seen:2021-08-12 10:52:51 UTC
Last seen:2021-08-12 11:52:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:pqpaDiyDFrvC2uEXmoKpiTQfmlrnKdjkt1V3e+VEdC0cRm7+7nT3wJHWv2EvkWbm:pTDBNKEvKMnKdQPVxEdFcs1Ji7bTG
Threatray 8'340 similar samples on MalwareBazaar
TLSH T152B4121369200B67E1F51B7489EB860072330D49D37BA48F394DFAAB7773320861E6E6
dhash icon 142c1878a290c0c4 (1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MANISA SILVANA - Spec.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-12 10:55:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6feee9cf-1518-44e8-a29d-114bf5d16905

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178581/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15407.2832.31842.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48714827-06fa-4d7d-a2ee-c1871b468a86
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831658
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 10:17:00 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ophpzcd7bk2ntybgtrjhyfuh4nqesojgx634zq5io22lwgmdfocq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
AgentTesla
1999b409b4fdabafe9343b5a7d3f4ac0a019fe8f1f5d7ca3caf9fbe051c01ca8
AgentTesla
365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2
AgentTesla
36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10
AgentTesla
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
AgentTesla
a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55
AgentTesla
e19c08f599af43e73bb73b7183ce1b8a1e6712640d185d6f29ae0cf165bdfef5
AgentTesla
f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90
AgentTesla
+ 8'330 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210812-2ldh1d1r56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0340693a339f2b45525134cbc94c7e0535ff9b1bc4acb6d3c14b0dc67dff5e16
MD5 hash:
d35d6d02e68ef7f1af43e0a462ae7631
SHA1 hash:
74ea8f8fd3257ef5e407a9e5a02c6e1c38c0af44
Link:
https://www.unpac.me/results/170e27f0-1f8f-4acc-998e-0ae872eb8b5a/
SH256 hash:
02b7ddfbcf745e24b63c7d0a88d15e10bdef3cc794d93e8a05e4edf4a96fa939
MD5 hash:
07763f4cdceddc9339d9d91c5e1503df
SHA1 hash:
69382ec7c70a3dd2e9fb94e29622fd3d8931253d
Link:
https://www.unpac.me/results/170e27f0-1f8f-4acc-998e-0ae872eb8b5a/
SH256 hash:
2dd6b1bd30af0337b4ffeb671712f1f2392a2b621fd946975ff22ab4e43915f5
MD5 hash:
24a6b093586d72123a3b848407c3a0a1
SHA1 hash:
3e101a25ddc877ff8a8bd36dc28caa596e30b3fb
Link:
https://www.unpac.me/results/170e27f0-1f8f-4acc-998e-0ae872eb8b5a/
SH256 hash:
73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85
MD5 hash:
e5b3fc8e7c159b836046b6f657179929
SHA1 hash:
90a8ebb6a71a7b8462cfbf5ff7605bc66297c48e
Link:
https://www.unpac.me/results/170e27f0-1f8f-4acc-998e-0ae872eb8b5a/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/73cefc887f0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/178581/

Comments