MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3
SHA3-384 hash:	d87500bb7180f455d05d599d65a2635ef342384873d7c359b52336fc151b58d5a0e865d0337253ed18ab4aba43cc3262
SHA1 hash:	a263774a7275412ad5137523ec591bd8375e688a
MD5 hash:	0b12c3a43d50484252030f5a78a11fe9
humanhash:	illinois-speaker-iowa-venus
File name:	Shipment_notification1666547433.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	465'920 bytes
First seen:	2022-12-12 13:04:39 UTC
Last seen:	2022-12-12 14:51:42 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:o1cfl/1vbj3mMKOyTz4peRPHr43KXHK4:o1sJ1jzu40R5Hl
Threatray	786 similar samples on MalwareBazaar
TLSH	T10BA4CF3F3E888C97E09B9DB9FA0669C8468B60910B147741D9B5F55F8FF782DC81234A
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Shipment_notification1666547433.exe

Verdict:

Malicious activity

Analysis date:

2022-12-12 13:06:31 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/05e54155-a5f8-4f00-9ae0-faaeab44c3a3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345436/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.55409.21905.18523.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/639727019a505ad9423f3093/reports/1dfd453f-3b20-430d-b0da-9df707050d5f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f3a74e45-c71f-4dc3-ac9a-118e1e111b7e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1132635

Signature

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-12 09:50:00 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qgzvxktcchcrp67fo5evedvpajfe65vvvj6jbzr6kcijlyfgmwrq._file

Verdict:

malicious

AgentTesla

3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f

AgentTesla

473e99cdf2dc25a6bf43a56e9b095639776294bea38321c079cceecb3678c28d

AgentTesla

4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd

AgentTesla

66bfc82c4f69f36538f7ff9f5949f72288805850f4b64980c17ec930c6baf224

AgentTesla

73a4ca1224bc4657443596157d3ce150bcd4b6dd32217f2467818c7efea4ee43

AgentTesla

866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7

AgentTesla

a9cf955162a9164b63c70530a2ed72b02ab53f7b39a3a9ece842cd2bebfb117c

AgentTesla

c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44

AgentTesla

e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3

AgentTesla

+ 776 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221212-qbhk2sbd46/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1c8ef29d-d7e7-47ca-8d5c-e016500f9211

Unpacked files

SH256 hash:

81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3

MD5 hash:

0b12c3a43d50484252030f5a78a11fe9

SHA1 hash:

a263774a7275412ad5137523ec591bd8375e688a

Link:

https://www.unpac.me/results/a48de9c2-1ac0-456d-84a7-dcf18dcdc1e9/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/81b35baa6211/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/345436/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample