MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 751473d0bdfa674927317b2747b52a04372b4f1e38616cc465763d64cb7bbee6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	751473d0bdfa674927317b2747b52a04372b4f1e38616cc465763d64cb7bbee6
SHA3-384 hash:	c881a5a679121ed28abd8a4eb4182180497b488b04f1a7f09f0232a57d381bf2dd884d2f87cfc9acb9fafb67bbf1432d
SHA1 hash:	0a21656b6a1308da38d289baf0349f123c9a9c85
MD5 hash:	f0cabeaca8870fed25da101e5efa5591
humanhash:	papa-music-romeo-ohio
File name:	CTM ARRANGEMENT FORM.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	507'392 bytes
First seen:	2021-11-19 15:32:15 UTC
Last seen:	2021-11-19 18:05:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:m4KMpYjaksxtXIGNE9hapWBik3gVllizfWCCST4gk3J7M2FcXWIO:xpYjakYVNE9haoB0VlliLWCkgs7DcQ
Threatray	13'491 similar samples on MalwareBazaar
TLSH	T1FBB4806C3B415A72ED0D80B3BD510AD4BB370F03A240BA9657DBBEFA975F8652D05C88
File icon (PE):
dhash icon	f068ec8c4c4c0c9c (1 x AgentTesla)
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CTM ARRANGEMENT FORM.exe

Verdict:

Malicious activity

Analysis date:

2021-11-19 15:43:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a94a82c5-6520-430b-b09d-2c6b8ead3014

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Inject4.19042.5596.21452.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Running batch commands

Launching a process

Creating a file in the %AppData% subdirectories

DNS request

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm obfuscated packed

Link:

https://www.filescan.io/uploads/6197c3b12695a62af9f3e950/reports/9af49940-9608-4004-9827-2ae90d486f60/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/150311e5-f06c-427e-b0a8-a93baadb50b0

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/892756

Signature

.NET source code contains very large array initializations

Binary or sample is protected by dotNetProtector

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/751473d0bdfa674927317b2747b52a04372b4f1e38616cc465763d64cb7bbee6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-09 15:40:51 UTC

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oukhhuf57jtusjzrpmtupnjkaq3swty6hbqwzrdfoy6wjs33x3ta._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4010e4cf063629069f5a7fc586b1845433b426d6c09f5a8eeabb348a2686f89f

AgentTesla

51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209

AgentTesla

531284168c3d5dee90d9d45b762d7e3b0fb409a670efcf61b378df7677d58b55

AgentTesla

aca997fcaac6e87491969a33360065a8a4cea025152c65fc5bfcff0f9fab2dce

AgentTesla

ad2bf8487310a468bc4e71714b81d4616d75310206c6c35e8a7cd495b7f90c22

AgentTesla

bac1342206103fdc88c4c3ca8b2c30d73e46781d8e40f82f1ea4064547bbb76c

AgentTesla

dbba7dd4355342a19336aba7d468ecbdfb0d730287e8f8f28ed88ba445bab2fc

AgentTesla

+ 13'481 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211119-sy7vkaagdl/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

aef96b332ef7d16be58409be9ac8a84b06ddd4dde4b17dde4a8e029c8cfd0a51

MD5 hash:

ab2d3f35ad8bfb5a6e26c29f7fdaeb42

SHA1 hash:

d95182d76d1bd4c4800ec3b7ba934f60f5f93157

Link:

https://www.unpac.me/results/44e4c87b-6a4c-4166-9085-666b0e28cc3c/

SH256 hash:

751473d0bdfa674927317b2747b52a04372b4f1e38616cc465763d64cb7bbee6

MD5 hash:

f0cabeaca8870fed25da101e5efa5591

SHA1 hash:

0a21656b6a1308da38d289baf0349f123c9a9c85

Link:

https://www.unpac.me/results/44e4c87b-6a4c-4166-9085-666b0e28cc3c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/751473d0bdfa674927317b2747b52a04372b4f1e38616cc465763d64cb7bbee6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Dotfuscator Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Dotfuscator

Rule name:	INDICATOR_EXE_Packed_dotNetProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with dotNetProtector

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/207642/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample