MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77a2859ef248804ae58920aa53cbdae4dcf7296c0ef7dcd2397014bd5b9bed3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77a2859ef248804ae58920aa53cbdae4dcf7296c0ef7dcd2397014bd5b9bed3f
SHA3-384 hash: 6a3f2aa635bab503ab7b5cc4add0664c797147fa724bda41f637c6391a041ed71c560b8ed0dc350b9ee68d6f974056fe
SHA1 hash: 0d66a22ae06ff01f76d752da1593a785dc8d2363
MD5 hash: 286d4c71e16196ee05d2fc1350141e3e
humanhash: sad-equal-network-west
File name:DBS_Bank_ Payment Copy_Pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:39'424 bytes
First seen:2022-01-14 11:07:24 UTC
Last seen:2022-01-14 12:47:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:X+tGWgEroCAdweY635wi+kTOY40XLwLPwIaW9tA9y5HYvf6JLnPU3iTSRvNes53c:VErQDT5jbp40704b79uHYvinPUC0pc
Threatray 14'071 similar samples on MalwareBazaar
TLSH T1FA03D502FA948370D3EA16B7A4DBF00CD2E59D2D1207D956F4613E4D2A323D12EF6A6D
File icon (PE):PE icon
dhash icon 64e4c8d0f0e8d4d4 (56 x AgentTesla, 7 x RemcosRAT, 5 x NanoCore)
Reporter abuse_ch
Tags:AgentTesla DBSBank exe


Avatar
abuse_ch
AgentTesla payload URL:
http://sub.areal-parfumi.si/new/Ogpuzbk.jpeg

AgentTesla SMTP exfil server:
mail.meyaargroup.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e8475dcf-e688-4382-d098-08d9d7462848f632fe2c-a474-88df-fe81-4813cfaa1edd.eml
Verdict:
Malicious activity
Analysis date:
2022-01-14 11:06:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/431c8698-9333-4fe8-bca5-9a58e8e114af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219298/
Detection(s):
SecuriteInfo.com.W32.Jigsaw.A1.genEldorado.9483.12276.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe jigsaw obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61e15995e997359713ebdba3/reports/9bc3bea8-26fb-49b2-a10c-8ff0c7e879a9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4c2db17-0b95-4472-b954-306f762b6011
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/920677
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553155 Sample: Copia de Pagamento_ Caixa_G... Startdate: 14/01/2022 Architecture: WINDOWS Score: 72 32 Antivirus detection for URL or domain 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 .NET source code contains potential unpacker 2->36 38 3 other signatures 2->38 7 Copia de Pagamento_ Caixa_GD_Pdf.exe 15 4 2->7         started        process3 dnsIp4 30 sub.areal-parfumi.si 152.89.234.40, 49750, 80 OPTIMUS-ASSI Slovenia 7->30 10 cmd.exe 1 7->10         started        12 cmd.exe 1 7->12         started        14 cmd.exe 1 7->14         started        16 2 other processes 7->16 process5 process6 18 conhost.exe 10->18         started        20 timeout.exe 1 10->20         started        22 conhost.exe 12->22         started        24 timeout.exe 1 12->24         started        26 conhost.exe 14->26         started        28 timeout.exe 1 14->28         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77a2859ef248804ae58920aa53cbdae4dcf7296c0ef7dcd2397014bd5b9bed3f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 11:08:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6rilhxsjcaevzmjecvfhs624topoklmb335zurzoakl2w435u7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
484f86d608111d29c70a1bb0f456e3e4bfa942d71eeac1e049a15d4439f29b49
AgentTesla
49f7415f7b85e989eed8d42e320c82ea6f69850650672ea6d7df65332a7e48c6
AgentTesla
624ddc18fcba299a476269baee8177c71304e9f9a4b89cc22e07d0a4726cc43a
AgentTesla
70364ce784cbd9cad382edd614401d8241f0ec38a6d4f4aaa3e9c7d782032374
AgentTesla
8065f0a8fb9f149f281c0bb9988547651d0a6c9350352cfd4b2013c65be5ccd2
AgentTesla
8586940b285a92802ff9ca77ab7fb949de2a24784d4724dc18ce6d9c1ad6f187
AgentTesla
9fa62a9a26796ea4306d561803543096ec581cffa966b024dee5991254502e83
AgentTesla
e484dd89ca41783addc420ae8b28e965997644a1bd7a9af1485dc239f21e2ac6
AgentTesla
f090ea218b1b9efedee6bae4665c1066649dc0fb94542467a56ae5a0a2c693e0
AgentTesla
+ 14'061 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220114-m8j9csgaep/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
77a2859ef248804ae58920aa53cbdae4dcf7296c0ef7dcd2397014bd5b9bed3f
MD5 hash:
286d4c71e16196ee05d2fc1350141e3e
SHA1 hash:
0d66a22ae06ff01f76d752da1593a785dc8d2363
Link:
https://www.unpac.me/results/89e0804d-d6cc-492c-98a4-6d37003f56de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/77a2859ef248804ae58920aa53cbdae4dcf7296c0ef7dcd2397014bd5b9bed3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 77a2859ef248804ae58920aa53cbdae4dcf7296c0ef7dcd2397014bd5b9bed3f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/219298/

Comments