MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86c47856c1763cd1fa746ad990a69b1c3f5c783cdb68b18c9335af1d6b65fbb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	86c47856c1763cd1fa746ad990a69b1c3f5c783cdb68b18c9335af1d6b65fbb4
SHA3-384 hash:	09e0774486b1a13bb846e889d1e206d6e0f7a8d0d835e8f51729302cee49c019bc7b72da81a19ff8a3ec361037556371
SHA1 hash:	876d9fa70b4d62e80b594afc33d9eaab37ee6d70
MD5 hash:	31c18834becb6774ef87beb56f4c5c49
humanhash:	early-mirror-oven-golf
File name:	Invoices And Payment Slip_pdf.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'243'648 bytes
First seen:	2020-11-05 10:18:23 UTC
Last seen:	2020-11-05 11:52:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:1liskcTP8bi2WHoYIE2Xr8WOm0OyGEJrdwXWPsVamVjT5/mMd:1gsfGWHqBoWr0OyH7PEVamlVm
Threatray	10 similar samples on MalwareBazaar
TLSH	734559E6ED43EA1AC40A04FFF84FD46D8385CF1D5BA94C465288F319127868DD9E84FA
Reporter	abuse_ch
Tags:	AgentTesla scr

abuse_ch

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/83215/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42665.3055.7126.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/521304

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86c47856c1763cd1fa746ad990a69b1c3f5c783cdb68b18c9335af1d6b65fbb4/

Threat name:

ByteCode-MSIL.Backdoor.NanoBot

Status:

Malicious

First seen:

2020-11-05 08:05:06 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q3chqvwboy6nd6tunlmzbju3dq7vy6b43nulddetgwxr223f7o2a._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201105-3ksva4qfka/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

86c47856c1763cd1fa746ad990a69b1c3f5c783cdb68b18c9335af1d6b65fbb4

MD5 hash:

31c18834becb6774ef87beb56f4c5c49

SHA1 hash:

876d9fa70b4d62e80b594afc33d9eaab37ee6d70

Link:

https://www.unpac.me/results/d978c2de-8cd3-48fe-a6c5-b0d0023f10c7/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/d978c2de-8cd3-48fe-a6c5-b0d0023f10c7/

SH256 hash:

e1bf241359426312d80baf8bfd0abc84f8188272512a9f519e8620933ef80b1e

MD5 hash:

4af871ef57bd4c5d362f72be3525440e

SHA1 hash:

2d4c439d5cb70fd634cf84cb4d3a8443343aa0bc

Link:

https://www.unpac.me/results/d978c2de-8cd3-48fe-a6c5-b0d0023f10c7/

SH256 hash:

d69e4b9c70d43a2716a9bd35b933d8591b2b89d178c0aa072a6716cbea9d3756

MD5 hash:

4c8c10356d00915d7fe6af7181635098

SHA1 hash:

468890af642fded96d3ea0c5eb82c24d55abe702

Link:

https://www.unpac.me/results/d978c2de-8cd3-48fe-a6c5-b0d0023f10c7/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 86c47856c1763cd1fa746ad990a69b1c3f5c783cdb68b18c9335af1d6b65fbb4

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/83215/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample