MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 748963c504f2c6746523e97dc34467020955ef0bb50c0e7ddfab3dc4ae73b12c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 748963c504f2c6746523e97dc34467020955ef0bb50c0e7ddfab3dc4ae73b12c
SHA3-384 hash: 84e849ff9716f92f7a267c0282e718c39964a265d382253db0489f99c82e16f81a63fa2f7501f4585cbc6bcb6fe22dbf
SHA1 hash: f3c4ba655125859eeeb51b9f0911c4bfcfd457b7
MD5 hash: 0a09b204aabe9a091fc1717cef36acb5
humanhash: carbon-december-king-sodium
File name:New Order Inquiry Grupo Dani.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:712'192 bytes
First seen:2021-07-30 07:49:23 UTC
Last seen:2021-07-30 08:35:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:516p+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXlbM3NmdPcA:1bM9XHpjVguekMQslXSBjKDV8Wkfn
Threatray 7'612 similar samples on MalwareBazaar
TLSH T143E4DF7B07988627FB7ED1757AA0F055F76089D3BB01DE0FC68766C118A760221CAD2E
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
571
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order Inquiry Grupo Dani.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-30 07:53:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce091b01-067e-4cf5-889f-83bd3e73a08c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175223/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46710159.9603.25538.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/539a40ed-3e46-4ced-9ccb-ff185502f195
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824341
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/748963c504f2c6746523e97dc34467020955ef0bb50c0e7ddfab3dc4ae73b12c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 03:03:45 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=osewhrie6ldhizjd5f64grdhaievl3ylwuga47o7vm64jlttwewa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3d3d5f6bd531217f0d2e55749b1c749e27088b7e72e83a572c30c754ac1b73aa
AgentTesla
772d60eb9c03a8ffaf7dc4342c81d657f085b23e55ceb3a412e5401906608aef
AgentTesla
9805afbc4ec53bea5c08ab912445f1a9e34791eeaaba6c8ec0d50223e2c6005b
AgentTesla
99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b
AgentTesla
a65c812000900485065a8a2d13fed88aeb45077d8bd14424fe4a3a363e147e14
AgentTesla
c39e3467c753b547bf66208e0812b5f35571e3e8773c7c049ac31ade62b48341
AgentTesla
d5269c737f5691eab59bcc8c6ba21a4ad0244e37d87c2fae38543ad15aa6707f
AgentTesla
de37859ffc72ea5203fdc6d147ec3734a839c32d931d417eaec7a9dc8793143d
AgentTesla
f6e9174f6712aaa52c7a669e88a15eb08b4e901e94099bf1432bf1f7b2952d0b
AgentTesla
+ 7'602 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210730-a1nzek71pn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/a689e153-6f08-4456-b53f-1b835723c147/
SH256 hash:
f5ba9fcf07f23934f24aa1f3d2bba1b13acb8f76ef97c99a0afad6892caf5c42
MD5 hash:
a0f6f063d5a4c8054c89999e328d44cb
SHA1 hash:
cd3e2ac941074244d22ddaae258a97ebce84f0e5
Link:
https://www.unpac.me/results/a689e153-6f08-4456-b53f-1b835723c147/
SH256 hash:
7a14828f2a47ffa875e79e54a13ef604c38293da3b0720a7f7f586f37a8129a6
MD5 hash:
bd7ee2dbcbeec4572142d2f3fca5ebd4
SHA1 hash:
9d6c22d957c31af4e93f3ec13d7e3caccf659abc
Link:
https://www.unpac.me/results/a689e153-6f08-4456-b53f-1b835723c147/
SH256 hash:
748963c504f2c6746523e97dc34467020955ef0bb50c0e7ddfab3dc4ae73b12c
MD5 hash:
0a09b204aabe9a091fc1717cef36acb5
SHA1 hash:
f3c4ba655125859eeeb51b9f0911c4bfcfd457b7
Link:
https://www.unpac.me/results/a689e153-6f08-4456-b53f-1b835723c147/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/748963c504f2c6746523e97dc34467020955ef0bb50c0e7ddfab3dc4ae73b12c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 748963c504f2c6746523e97dc34467020955ef0bb50c0e7ddfab3dc4ae73b12c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175223/

Comments