MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 823054b0f79453a8cdecc7b8586c63d2ed3c45bdd46742563e8e8e72a80b0b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	823054b0f79453a8cdecc7b8586c63d2ed3c45bdd46742563e8e8e72a80b0b54
SHA3-384 hash:	ee5b7e775914a00e8cf266191c751289ae7ef010bfc1203f1e9f589d4dd294e28292dd7411f7b9e878736f24db836b93
SHA1 hash:	b4f252341f4f48157a3a47a825cb5c6e147508c5
MD5 hash:	c2c4ff089790c7c701807bd22c7fa1d4
humanhash:	solar-tennessee-missouri-pizza
File name:	Recibo de pago.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	599'552 bytes
First seen:	2021-11-02 06:54:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:19zme6IOE06Qo6sMdVXbxoZ0IAu0HB42H0msGtgQ4dhcTlu06W3e5x2:19qeqldVr6GI+Hq3lS7ucTiy
Threatray	12'495 similar samples on MalwareBazaar
TLSH	T17DD4D03824E46626DBED82359D55C92913B25CAD9443E71C1EF1FDD33AFE3A34E0284A
File icon (PE):
dhash icon	d0f4ccf2faaaead4 (10 x Loki, 9 x AgentTesla, 9 x Formbook)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Recibo de pago.exe

Verdict:

Malicious activity

Analysis date:

2021-11-02 06:56:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb524756-392f-447a-9ac1-9d43772e422d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/201281/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.47300229.15364.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6180e0cdbf51178dbe47e0d9/reports/911e8c00-0b03-41e4-b2fe-cbefa4648e3d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c6cc55f-80a9-4c80-a45f-4682f1725767

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/881719

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/823054b0f79453a8cdecc7b8586c63d2ed3c45bdd46742563e8e8e72a80b0b54/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-02 06:55:08 UTC

AV detection:

8 of 44 (18.18%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qiyfjmhxsrj2rtpmy64fq3dd2lwtyrn52rtuevr6r2hhfkalbnka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

438e196c22769bee824a536ca0547b52ee203ec77010fc3aa9447be1765b381e

AgentTesla

6a98f93184dc5abbf4fbe1df1eee2ee6e539fdcaae2af54ebb1f28a6df223b7c

AgentTesla

72847c227cc515780506407bf4061ed21267b9b18bbd9c5373adfea28a1c15a4

AgentTesla

8e185bd58ad5131fdbe60c267f00b1e661d39eefe850543fb56243662dbac318

AgentTesla

a14532851a6cf9501f2a4f5b0ecc61d4ef8e10d220a401b220cd06ae8f83aeee

AgentTesla

aadf4a2325f03bbc80d38bc0c033e5ecc945a9b132570533f5a3fc41a6e034d6

AgentTesla

ab5c29e94cda16d44ba0b3fec24ff2a46bf9518ab2787730dde2be0db8e22d58

AgentTesla

eeb14fae34a305b9bf24954715705b38bdb20f50d785383c0ab7d3ec4a28c1cf

AgentTesla

f4c6d0b3ff8dd1100a6dd10550936f1207eb9c29b7cd42589718a9a4f3695386

AgentTesla

+ 12'485 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211102-hptapsbhc3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785

MD5 hash:

171a2669225911b41301096cd9dcf19f

SHA1 hash:

dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5

Link:

https://www.unpac.me/results/b2872cd9-1f44-40bc-9928-2093202f3614/

SH256 hash:

91084623f009edfe945743c5dd5548b2bfccaceeaa60eeadc9c36bbe21951aea

MD5 hash:

0f106409e5aad2aaa19d7b92fbbc24af

SHA1 hash:

a4a619f00c1ac805f82ff74ff8d5b2846dc1c782

Link:

https://www.unpac.me/results/b2872cd9-1f44-40bc-9928-2093202f3614/

SH256 hash:

f4c6d0b3ff8dd1100a6dd10550936f1207eb9c29b7cd42589718a9a4f3695386

MD5 hash:

84ec08ab0bc4e88c3cbaa0d211044685

SHA1 hash:

8261c0e369b15c500a4bc669e94086217af28a5e

Link:

https://www.unpac.me/results/b2872cd9-1f44-40bc-9928-2093202f3614/

SH256 hash:

823054b0f79453a8cdecc7b8586c63d2ed3c45bdd46742563e8e8e72a80b0b54

MD5 hash:

c2c4ff089790c7c701807bd22c7fa1d4

SHA1 hash:

b4f252341f4f48157a3a47a825cb5c6e147508c5

Link:

https://www.unpac.me/results/b2872cd9-1f44-40bc-9928-2093202f3614/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/823054b0f79453a8cdecc7b8586c63d2ed3c45bdd46742563e8e8e72a80b0b54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/201281/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample