MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94f81943be519b482170b3ff9d5091adc1e4a001cc5094ff5c71e9466f69b2f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94f81943be519b482170b3ff9d5091adc1e4a001cc5094ff5c71e9466f69b2f3
SHA3-384 hash: 4f086ccee033bd63dd8a08416432d8ec9496172d2a2271541443183ef15aa5262399489e454dc5c89ce6ee8cbd1e4020
SHA1 hash: d173836380d09632f0dcb5ae140d516cabdcf4b5
MD5 hash: 683ef375f7db64a591c14bc8e6ee71de
humanhash: artist-vermont-kitten-sierra
File name:AWB & Shipping Document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'069'568 bytes
First seen:2021-01-10 07:24:02 UTC
Last seen:2021-01-10 16:53:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:alZim9UU9XceGg09CDbIPNOpaIcjpqBTRvXN3uGcwC:qR+n3gpazpyRX0GcwC
Threatray 2'108 similar samples on MalwareBazaar
TLSH 1035011023BA2B64E5BC1BB11136124117F4F206C727DB39FDF174EA1F6278686BA936
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gerrys.com.pk
Sending IP: 103.145.254.221
From: Abdul Wahab<abdul.wahab@gerrys.com.pk>
Subject: Re: **TOP URGENT** AWB & Shipping Documents
Attachment: AWB Shipping Document.Img.zip (contains "AWB & Shipping Document.exe")

AgentTesla SMTP exfil server:
smtp.trgcomq.com:587

Intelligence

File Origin
# of uploads :
4
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB & Shipping Document.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-10 07:27:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d3a9cdd-db23-4637-ab2d-5dd8ce1dd840

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111151/
Detection(s):
SecuriteInfo.com.Generic.mg.683ef375f7db64a5.14088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577416
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94f81943be519b482170b3ff9d5091adc1e4a001cc5094ff5c71e9466f69b2f3/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=st4bsq56kgnuqilqwp7z2uervxa6jiabzrijj724ohuum33jwlzq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02312b29f98be5771e45592778fa9ab84ff312a3aef9d4c28aa70d7be0162d51
AgentTesla
068e09db64c69a2e1b69a791dc3a2756f6fa1091b56ff47285dadd8f425ebe9d
AgentTesla
0d77a7855565f1f714311f0b3fddfa7a924e833f4723bdb0cb6a7d28e910844a
AgentTesla
2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51
AgentTesla
480190443e701b4d129d789fe99b20bd84372470a14f2a113705735065bd43f6
AgentTesla
4bc5afb7fa8639008d294a8afb8f42531bfcf084398600500bdc81533602c760
AgentTesla
6abf5552765851e4db6d8346af1473568c7d1497fd848648e32bd1c5c8d8cb2f
AgentTesla
70bba7ae7db7a571dde9f6e9adad50a1b4fb32b8757f5d6cebb3d73b833644f6
AgentTesla
ccf7cbe501b4e91d8f020fb061bbb24167316704bb9566aed6a6a5bc36df3d73
AgentTesla
f5e0c3bfd23d86f0cdef681b4922c59e77fb094bacd29add988ff6c9a30d850b
AgentTesla
+ 2'098 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210110-rd1kjjx5qa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
94f81943be519b482170b3ff9d5091adc1e4a001cc5094ff5c71e9466f69b2f3
MD5 hash:
683ef375f7db64a591c14bc8e6ee71de
SHA1 hash:
d173836380d09632f0dcb5ae140d516cabdcf4b5
Link:
https://www.unpac.me/results/27e486ea-daa6-48cb-bb4e-4e9c6d94334b/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/27e486ea-daa6-48cb-bb4e-4e9c6d94334b/
SH256 hash:
f60bf34dbcbfc161410eb2697d8daf09c9d7d012802709aad1ed5e4251dca489
MD5 hash:
ca941434cd4361cfdd89e106f53d52a1
SHA1 hash:
08c08243cae17893fbd66a0e5e8604ac99652a0e
Link:
https://www.unpac.me/results/27e486ea-daa6-48cb-bb4e-4e9c6d94334b/
SH256 hash:
3abae8abe3fad9677176b2f44a57578acf88e3ef18703b298771f88d959649c9
MD5 hash:
f07cf7151c6bd64070b44a67d21a7e59
SHA1 hash:
7c7b7f27f1827e1f499c37222040e86af04e5314
Link:
https://www.unpac.me/results/27e486ea-daa6-48cb-bb4e-4e9c6d94334b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94f81943be519b482170b3ff9d5091adc1e4a001cc5094ff5c71e9466f69b2f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2dee1a366444edd4aa04dc18f46a3f8d7a491d26d30c473549664f25d7a92f9e

AgentTesla

Executable exe 94f81943be519b482170b3ff9d5091adc1e4a001cc5094ff5c71e9466f69b2f3

(this sample)

  
Dropped by
MD5 e167cf885ea47c939c29a53d13e8c0c5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2dee1a366444edd4aa04dc18f46a3f8d7a491d26d30c473549664f25d7a92f9e
Cape
Cape
https://www.capesandbox.com/analysis/111151/

Comments