MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a
SHA3-384 hash: a86fdd3c0d65f1be7d34d64ba3a73247ea5ed5bc5c06868b9d3e041c5e85d047ebfdcb22d4e6964641374fe4a07ab280
SHA1 hash: cdfb454d5a351bd6f7d160793839b42aa54ca51c
MD5 hash: ba5f0ecc92915693ae84d8fcbf015eb2
humanhash: rugby-yellow-north-autumn
File name:Purchase Order APO200231.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:107'896 bytes
First seen:2020-10-14 15:21:51 UTC
Last seen:2020-10-14 15:57:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:oGAvWh9DgEHcLcbJjL8WZLrToFaNbxsSfiiqcJRQkVFbgJFCI0je0XucZcaa9zzK:KF+JvL9sSfFqcD9F8JFCiumuUMnUf2
Threatray 7 similar samples on MalwareBazaar
TLSH AEB3BC073095DE29FAB533FA1AC3C48561F06867E2A5C6711FEFAED8B0B1704574BA48
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hkfm.com.hk
Sending IP: 64.44.57.18
From: "Rita Chan"<general@hkfm.com.hk>
Subject: Our Order APO20/0231
Attachment: Purchase Order APO200231.pdf.iso (contains "Purchase Order APO200231.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70887/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34768522.2612.26551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a TCP request to an infection source
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491311
Signature
.NET source code contains very large array initializations
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 08:54:41 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovhuddrv3feozgmdtwbbt3wz236yvd4ocekrv5rll7iiyidmebfa._file
Verdict:
unknown
Similar samples:
1e2ced0bf97c8caa6021784418f2edba1d0e618034fa15d83a0e8896e0936993
AgentTesla
2bf089ca557a9f45614b8c69d1e99c2865ccce16d5623d43f058421ddd16e3e4
AgentTesla
4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f
AgentTesla
5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb
AgentTesla
62a3f96dbc53b59dc32cac8f2627992d4152cbd6735e488c4ae86f089dc97aa8
AgentTesla
7c6f9944f020d5349a5657bdee7fb477efd9243135a05b4db9b6a2c19f6fdc27
AgentTesla
d3f6b0b7336fee85292bc3b1f5634f113b561b9c5205f1ac319949628ba281ba
AgentTesla
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201014-ddxj9hbx6n/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a
MD5 hash:
ba5f0ecc92915693ae84d8fcbf015eb2
SHA1 hash:
cdfb454d5a351bd6f7d160793839b42aa54ca51c
Link:
https://www.unpac.me/results/a3bf7b0a-bc22-472e-a588-26bf4c9314a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 412b6fbc575a67f18463857b32e5ea7cf3ec518d5aaac3757d890de56e5f93b2

AgentTesla

Executable exe 754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a

(this sample)

  
Dropped by
MD5 b4f0051aa4584a2dfc3a95342558fd22
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 412b6fbc575a67f18463857b32e5ea7cf3ec518d5aaac3757d890de56e5f93b2
Cape
Cape
https://www.capesandbox.com/analysis/70887/

Comments