MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 842414bc4591b055c9e601ce5e2af6b41070c945c6e9c7f916c84d84c12864e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 842414bc4591b055c9e601ce5e2af6b41070c945c6e9c7f916c84d84c12864e4
SHA3-384 hash: 4f0542baaa53b9b933dd4e9ebbb954914fc5c209b55399302295ab510db67b951936d9888f4ba7d717db8409f088f59d
SHA1 hash: c27f4722708e21bcc0057ac4b7f9251e7fb4bf36
MD5 hash: 9065a30d35f748f927be3d2b8489fc30
humanhash: echo-summer-yellow-low
File name:Shipping Document PL&BL Draft.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:469'504 bytes
First seen:2020-10-16 10:51:01 UTC
Last seen:2020-10-16 13:14:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'475 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Kr0Dx9dBuk7Rxpq8BSvMPIeQFIna2xCa1TnDWZ9B40P4V48SYGrVNV2d2W5:KgD/3Jrpq+AKa25BI/PT8SNl2
Threatray 330 similar samples on MalwareBazaar
TLSH 92A4BFB17D92546ECA6B077540A6C5C1FAB62AC73FA08B0D719F630C0E21B1BE75364B
Reporter abuse_ch
Tags:AgentTesla exe TNT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: wjw0.506.cxino.ml
Sending IP: 161.35.118.111
From: TNT EXPRESS <support@tnt.com>
Subject: Consignment Notification: You Have A Package With Us
Attachment: Shipping Document PLBL Draft.r00 (contains "Shipping Document PL&BL Draft.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71931/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493448
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/842414bc4591b055c9e601ce5e2af6b41070c945c6e9c7f916c84d84c12864e4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 00:04:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqsbjpcfsgyflspgahhf4kxwwqihbskfy3u4p6iwzbgyjqjimtsa._file
Verdict:
unknown
Similar samples:
05d567307393895ec32ac3ba2baade59a8a4bc95795fb15045c5c1b3569f95df
AgentTesla
2b32f6ada2947da4bf5b17543971fb26fd3e0353734ef9270351dfe142fd1d72
AgentTesla
46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210
AgentTesla
5e18a7e53e246b740a583555514158a7ec3dfa0b36944b6d8b76fcbc9668ec91
AgentTesla
6badf55361de08f484122fb041fcad31e29a448614f1b315d66a3f58ad9a50b9
AgentTesla
914712c702b94abb26e0d1edbd54712d62a2fdb6cfbc9bd41ac8bcb84296358f
AgentTesla
b24e43f00bbbd88fea2b129c08915d84b5a7643326ff630a0cf013cb2105749c
AgentTesla
d747f645084c779381f77d3ce8de9274a1b21947ab117b88b0b00d0f39af6e93
AgentTesla
dda00adc825d173374e70f8a386a78d1aa48065b7e0cb17712dce31f44bf302b
AgentTesla
e305b3819b013356d630aeae5f76be5ed4632bd99b237bf820905d16272c161e
AgentTesla
+ 320 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201016-cfbffepjpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
842414bc4591b055c9e601ce5e2af6b41070c945c6e9c7f916c84d84c12864e4
MD5 hash:
9065a30d35f748f927be3d2b8489fc30
SHA1 hash:
c27f4722708e21bcc0057ac4b7f9251e7fb4bf36
Link:
https://www.unpac.me/results/a76dcaa9-741b-4e53-81ba-35e579c99875/
SH256 hash:
ab6c48d67db478ab814a04a6f12b699e328b15ddbb38f4e80358165385fd038e
MD5 hash:
84c2a5df35e338cc568f4dfd14c81499
SHA1 hash:
2b85f644b925247865885b2a1039c0f5b10e9e1e
Link:
https://www.unpac.me/results/a76dcaa9-741b-4e53-81ba-35e579c99875/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/a76dcaa9-741b-4e53-81ba-35e579c99875/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Link:
https://www.unpac.me/results/a76dcaa9-741b-4e53-81ba-35e579c99875/
SH256 hash:
cc68e3eb8bccc4a249ec5b6f7d83cb2230442040a398aa362c30bfa520987bc5
MD5 hash:
0c74f2c28837f15bd9481236e4fff068
SHA1 hash:
d6aaa270e7cde6512b8861d725556433b7da78b9
Link:
https://www.unpac.me/results/a76dcaa9-741b-4e53-81ba-35e579c99875/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/842414bc4591b055c9e601ce5e2af6b41070c945c6e9c7f916c84d84c12864e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 2a11ce2b3b078baa7089068f5070da48aad5b5324867065258f50f3b49b99da7

AgentTesla

Executable exe 842414bc4591b055c9e601ce5e2af6b41070c945c6e9c7f916c84d84c12864e4

(this sample)

  
Dropped by
MD5 05dd9c4aebfd562d78640a617918ed6d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71931/
  
Dropped by
SHA256 2a11ce2b3b078baa7089068f5070da48aad5b5324867065258f50f3b49b99da7

Comments