MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 756ab3c5bffff0818a4c93ccc7354abf63836b91faa2590f1c1b83284ef41de4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	756ab3c5bffff0818a4c93ccc7354abf63836b91faa2590f1c1b83284ef41de4
SHA3-384 hash:	8719890424de158679ea61002563d547f06d1e4ced7815ede48774f682b89e9ad3eb3ea307edb3bd43838cefc6d5521d
SHA1 hash:	0b76ea77165cca562edce8e86fdaacdd2d83f5df
MD5 hash:	e1c2ff2218624200595a27daae55c601
humanhash:	hamper-north-berlin-violet
File name:	Enquiry Items.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'418'688 bytes
First seen:	2021-05-06 07:10:51 UTC
Last seen:	2021-05-06 08:15:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:m/Kiwl+hJsdrlSOC89jsqab7hPNjGNMm3+s3/RnGuaNsZU/5+CLHCwL5YHAL2L9J:m/Kiw
Threatray	64 similar samples on MalwareBazaar
TLSH	31B573A57AF8C92995BFBEE241747D47C9BEFBBA9131B6EC60844D5CC6000A35C81393
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/151368/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.703.21433.14320.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/713339

Signature

.NET source code contains very large strings

Contains functionality to hide a thread from the debugger

Found malware configuration

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/756ab3c5bffff0818a4c93ccc7354abf63836b91faa2590f1c1b83284ef41de4/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-05-06 07:11:32 UTC

AV detection:

11 of 47 (23.40%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ovvlhrn777yidcsmspgmonkkx5ryg24r7krfsdy4dobsqtxudxsa._file

Verdict:

unknown

AgentTesla

1c6ec68a3017dd39da5043ff4cecd25ae5dadcc4f2577ba7103c84547c228882

AgentTesla

3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078

AgentTesla

673500aef66cdad3be016e872ca2cf17bd814857bf53f7ef24a0f534a3a47dcd

AgentTesla

8ef4a31bc2a6eacd381e90d8873c55da95a1ed26ec3240d38bfec7b0a25a6e6f

AgentTesla

a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

AgentTesla

ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

AgentTesla

b39e096b204c009b28f80f36a5b197539cb24d7f670eed000d7fa3db347298b1

AgentTesla

b6f599f2cf0fff466e3a53c8affd0401a0dc2d63cc5ea037c165a6242d69efeb

AgentTesla

db23d6f5e2123cde47f4e3178bf18063aa3270d13499991200c9074a837eff07

AgentTesla

+ 54 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210506-4xnvece7p2/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

1f892068a7cc5c171bbaf53b2a1b5d3346e7bd29a34bdada97ded0574fb49bc0

MD5 hash:

7cf46f566b7ac7fbe7e8d0b8143d05ba

SHA1 hash:

e4016960e3a63a6517e3837f592b4b85bba6db7a

Link:

https://www.unpac.me/results/15676d39-35fd-45f9-9272-94fb4532cbca/

SH256 hash:

f12da2bcddae7da6cb786a34fd374a6bb0f045dca4c6cd97f6d88c1b6152f517

MD5 hash:

53ab33d75b10745c39e8bc01f95ca60d

SHA1 hash:

c95579d71b33f7537da800b95e2a05e973f0d06b

Link:

https://www.unpac.me/results/15676d39-35fd-45f9-9272-94fb4532cbca/

SH256 hash:

756ab3c5bffff0818a4c93ccc7354abf63836b91faa2590f1c1b83284ef41de4

MD5 hash:

e1c2ff2218624200595a27daae55c601

SHA1 hash:

0b76ea77165cca562edce8e86fdaacdd2d83f5df

Link:

https://www.unpac.me/results/15676d39-35fd-45f9-9272-94fb4532cbca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/756ab3c5bffff0818a4c93ccc7354abf63836b91faa2590f1c1b83284ef41de4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/151368/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample