MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
SHA3-384 hash: 70f6eae008c092783dc18c9a79b4850f0047ccd120e575188609fc5464f6973553992963206e4744067d47d3ab41f938
SHA1 hash: 7303b0c345036b16ee7fe083ea22245388919c4c
MD5 hash: ac3a5dc157c1d6e3628d06e0f8de0555
humanhash: kilo-nuts-delaware-louisiana
File name:PO1420.jpg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:314'483 bytes
First seen:2020-10-14 15:53:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:GdRVzSkGTxSLD8uq5CaOPs47bhqUdnDafk+gPh03:GhqxSLo5C1Ps4XhRDa8+gg
Threatray 257 similar samples on MalwareBazaar
TLSH B064BF02B9C184B2D4321A316979A7916E7E7C300F24CADFA3E47D6D9B311D26635BB3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mtx0.allshoes.com.se
Sending IP: 45.84.196.14
From: "Pamela Rice" <office@allshoes.com.se>
Reply-To: info@allshoes.com.se
Subject: Purchase Order
Attachment: PO142020.IMG (contains "PO1420.jpg.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70921/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491401
Signature
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298259 Sample: PO1420.jpg.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 61 cdn.onenote.net 2->61 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected AgentTesla 2->79 81 3 other signatures 2->81 9 PO1420.jpg.exe 1 9 2->9         started        12 Po-14102020.exe 2 2->12         started        16 Po-14102020.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 59 C:\Users\user\AppData\...\Po-14102020.exe, PE32 9->59 dropped 20 Po-14102020.exe 18 3 9->20         started        65 104.24.126.89, 443, 49741 CLOUDFLARENETUS United States 12->65 67 hastebin.com 12->67 91 Hides threads from debuggers 12->91 93 Injects a PE file into a foreign processes 12->93 25 timeout.exe 12->25         started        27 Po-14102020.exe 12->27         started        29 WerFault.exe 12->29         started        69 172.67.143.180, 443, 49743, 49747 CLOUDFLARENETUS United States 16->69 71 hastebin.com 16->71 31 timeout.exe 16->31         started        73 hastebin.com 18->73 33 timeout.exe 18->33         started        35 timeout.exe 18->35         started        37 timeout.exe 18->37         started        file6 signatures7 process8 dnsIp9 63 hastebin.com 104.24.127.89, 443, 49727 CLOUDFLARENETUS United States 20->63 57 C:\Users\user\AppData\...\Po-14102020.exe, PE32 20->57 dropped 83 Multi AV Scanner detection for dropped file 20->83 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->85 87 Creates an undocumented autostart registry key 20->87 89 6 other signatures 20->89 39 timeout.exe 1 20->39         started        41 WerFault.exe 23 9 20->41         started        43 Po-14102020.exe 2 20->43         started        45 conhost.exe 25->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        53 conhost.exe 37->53         started        file10 signatures11 process12 process13 55 conhost.exe 39->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 15:55:10 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2ylkm2jxe2qjblcowfdjyek4ymqyz72kixioqxwa4blgndclu3a._file
Verdict:
suspicious
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
AgentTesla
3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389
AgentTesla
4b1ffe4df1fa405add5439e82aca1f7c49070d5f7935fe0d50fa653d754b630c
AgentTesla
5e4cb5b794577345c50a2012ee0ece2301012527d17646d984a253781bcd39c9
AgentTesla
77ec4cc85d8c34393dcbd4e1290e39dcee07c3468aff17e312929b84c9b6a2bf
AgentTesla
829b3df0c75971b19d658fd980bdf0302351bdf6ddbdf5e2f5d83632df72215d
AgentTesla
a28b4a9bffc95f778a6c6593763cfad5ca96aa10843851e2c76446b4fea9a878
AgentTesla
a6470f4a3b0b76de33c62703bd5c8559a6555440c977a2632c37444847c5a693
AgentTesla
cd92100b5eee9f485facad22250d11ba811455710d2ca07e731f4d19741a571d
AgentTesla
e571cd3a4c0744cb3c5443b868577adced331a7545fcb6e2ed0efbe7506a2f9b
AgentTesla
+ 247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201014-p1z9dq59dn/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Unpacked files
SH256 hash:
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
MD5 hash:
ac3a5dc157c1d6e3628d06e0f8de0555
SHA1 hash:
7303b0c345036b16ee7fe083ea22245388919c4c
Link:
https://www.unpac.me/results/5261fadc-48f7-4d39-a3ba-2d1f37683e0b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 4d52c5c1a05ccb1db1398073c580b6f4f69b90dd9e87aa3241549fbd0dd9a459

AgentTesla

Executable exe 86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36

(this sample)

  
Dropped by
MD5 7fda75c8424f93ccdd5528775ca79774
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70921/
  
Dropped by
SHA256 4d52c5c1a05ccb1db1398073c580b6f4f69b90dd9e87aa3241549fbd0dd9a459

Comments