MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7
SHA3-384 hash:	a9779e1e9e414e585fc11b6358cda596611ec757e4213aae454798ec7a2516d97f3c520b3dd5f69d005674d491c056b1
SHA1 hash:	f2df5eaa3fd4307d487743d200f945628cbe5f1f
MD5 hash:	ec9babffba2181c024a2f1a07fe8ee45
humanhash:	one-one-equal-cat
File name:	AUG PO-HN512201811,PDF.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'122'282 bytes
First seen:	2021-08-09 05:21:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:qAOcZuXPHf+GJUXUmxsrzi2DpEDdIFq3XFQYcqa6lCKCN:QpfHysZDpcdIFWX6KtG
Threatray	8'855 similar samples on MalwareBazaar
TLSH	T102351202B5CA7871F4B238F14925669024793C505E59CB3FA3B4386CDA38683EDA57BF
dhash icon	37712b134b091529 (2 x AgentTesla, 1 x AveMariaRAT, 1 x MassLogger)
Reporter	abuse_ch
Tags:	AgentTesla exe scr

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AUG PO-HN512201811,PDF.scr

Verdict:

Suspicious activity

Analysis date:

2021-08-09 05:24:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b8f8f0a2-500d-4df6-bfeb-107fe27c535b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/177401/

Detection(s):

Win.Malware.Qshell-9875653-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Sending a UDP request

Launching a process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d99e6116-ca09-4dbc-8dd9-8b34487df0df

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/829128

Signature

Allocates memory in foreign processes

Drops PE files with a suspicious file extension

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Process Start Without DLL

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM autoit script

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-08-09 03:13:27 UTC

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qmnzuru54dmuihuxpofqkurvx5lofji2t6ymjieeetdthyzsohlq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1bf63394fcf232d3a303d17df87252e2f47c43205edadc99ed15a50c9e193ebc

AgentTesla

20abcc84d40d1b7314e3f293c510ee4f5199d43db15074aa79705c98bacf5ff5

AgentTesla

63df29d3fa84705de35251b66c3cf555ba225d9a2b064edbd566ccd1b3c59e07

AgentTesla

7cf95c0b9a54fa67fcd82ab0dc3dddbbb3861b9c4111a12e628f0003b02e41d9

AgentTesla

c8a4462c6b8f5d8728d5374adc98def5a5c38dd97d70a1c3859c876bfbe3fbd0

AgentTesla

ebbc6f882c469db06196cbeea3ef7b62899229ef1f89234ef3ace2f83ce2b557

AgentTesla

ee9581098eb9fed674854c0f2579b5bfb17ae7788cdbb15abaa3c5af3af50ecc

AgentTesla

f1f545de09f0d7a4b5adcbfd695e64333d6195e53c120cacfb1e276d8fc7afed

AgentTesla

f2597b91433ba86188dd0e53cf04d2c43d97f5231bc3077df18e75447f15c77c

AgentTesla

+ 8'845 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210809-xqvhfw6dcs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

7473a498faf7bb26048127dd8f668acafdba6c3de577c27b6fa3ef92da5a3f4b

MD5 hash:

b7c7ecf9fc9ac713fea9394e264a9dd7

SHA1 hash:

9bdec9486f2ddadbe2a65d4c445bcb0d34879eb4

Link:

https://www.unpac.me/results/9dec3ea7-102b-4187-8424-c5b7b4bcd7e3/

SH256 hash:

831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7

MD5 hash:

ec9babffba2181c024a2f1a07fe8ee45

SHA1 hash:

f2df5eaa3fd4307d487743d200f945628cbe5f1f

Link:

https://www.unpac.me/results/9dec3ea7-102b-4187-8424-c5b7b4bcd7e3/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/831b9a469de0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/177401/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample