MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4
SHA3-384 hash: 22d7d15b7555fbd9b64147f958083b9d6c7c9520bddc31e9d409c60c90731e6981e97af53075b30089cee5a2a326832a
SHA1 hash: 0fbad24e2ce55ecb6e0d6ca71321d60198622fbc
MD5 hash: 0e0f5a727700fe60de98ffde4e1837cc
humanhash: iowa-fix-echo-stream
File name:Scanned from PNB Sales Office Copier.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:470'016 bytes
First seen:2021-02-12 02:38:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:1M7xjJVS5u+iaqVUHYitrzTAMWiI/BW/n6Ekej016D2/XfyKZHR0u3Ty7FRtdfV6:+B+ukY4rQMWiI4nbkMeXfyARByDtLJo
Threatray 2'593 similar samples on MalwareBazaar
TLSH CAA4222DBBA34939E148C736BDBB649044A7F65EEA56D309851F7B390C91382C217E3C
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scanned from PNB Sales Office Copier.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-12 02:40:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f1fab6c-12f8-42cf-b109-1c5ff2d10682

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/606429
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-12 02:26:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4rehxh5aq6zqqjwyk7hvocz3djeqc7ero5jf3zsg3llix6rzh2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b15f992f5339280a6ffcd88e12cdbd358f3fd2ea797ec96036d2d8cf62210d6
AgentTesla
1dba88d2a711e0efb588cb9465a78513b45c80736ca55b31a678993eb5d89152
AgentTesla
5202a2ffe0b88802b22d6cd5009aed17424b969ee0a69d34848d0b1dc1818a33
AgentTesla
56b4f0d1d0a0ed41109abf11275097cfd12e8e79709f829914f6a89286606eab
AgentTesla
6118f0c08d35a0dacc436ecc89379620c5d966f7cba43a6148684dd4a06c81ad
AgentTesla
670b031cca042e01b07ece7021acc32ead795c2d64956c3f8754ff5f619dbcea
AgentTesla
8f61c978bb49ad072955763d7591104d967c7ac3380d8ef1157bf5e158f79770
AgentTesla
b419a7ab9e20433d32b0751483e81f24c3544b304399cf497f9e9f82efab2764
AgentTesla
d720d5e55684cbf894809d5963e95d6613af588bfaeb0ecfa6001beb533d0232
AgentTesla
e7a4a4b30f3fbf4f31548ae91975f0b9c866045e65a370d9c775433689db1adf
AgentTesla
+ 2'583 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210212-ptyez6y2na/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla
Unpacked files
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/fbde683b-d39a-4653-8cc1-cbe61da778d3/
SH256 hash:
18360c4dfb9c6685984552dbac99d67693601871cb2f570fc53f1248a66b015a
MD5 hash:
cad94a4a921969cbed4afe6dc7a597e0
SHA1 hash:
7c64ffde7974523375ef9b75b7833c7847121f6f
Link:
https://www.unpac.me/results/fbde683b-d39a-4653-8cc1-cbe61da778d3/
SH256 hash:
bcd74fe02265c79870be708ef0f634b0e5a16d8abcb44704c60e94ed7c4ea603
MD5 hash:
70439899807f12b5fa98cb46cd281481
SHA1 hash:
4b612f7d43dee4c7f2a4a41396837cb154a21929
Link:
https://www.unpac.me/results/fbde683b-d39a-4653-8cc1-cbe61da778d3/
SH256 hash:
872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4
MD5 hash:
0e0f5a727700fe60de98ffde4e1837cc
SHA1 hash:
0fbad24e2ce55ecb6e0d6ca71321d60198622fbc
Link:
https://www.unpac.me/results/fbde683b-d39a-4653-8cc1-cbe61da778d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 9e0ca8580c1cc1a5e352f1aca35f7602584299c64be41691bac6b6917bafe059

AgentTesla

Executable exe 872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9e0ca8580c1cc1a5e352f1aca35f7602584299c64be41691bac6b6917bafe059

Comments