MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0
SHA3-384 hash:	b952a8101773cbe9325036a5f6052bb810c20c9da0ad2cea93b518c3942732aaa5557ae87e95a9429c31c68888e8a807
SHA1 hash:	4020126b35149fafa6447dbdfd3183a5d9c35dc8
MD5 hash:	efab4797e8f0bd00f13d6303b9875ca9
humanhash:	friend-florida-maine-hawaii
File name:	Mixtec New Order And Price List Requsting Form_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	820'224 bytes
First seen:	2020-11-27 14:18:08 UTC
Last seen:	2020-11-27 15:46:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:xpix4SQSY88WFKNbj8VlAW3CpQuoJtta+66K3S5zPvEKdAA:x85QSYbEKNbj6iDIto+ES5LvEYA
Threatray	1'544 similar samples on MalwareBazaar
TLSH	6C055BA3334CC3E8C7697AF8503151BF7562AA0D8A6CE51CDED2ED0B6E227550077A87
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/105816/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/549398

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-26 12:48:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=symul5tay6eeghsnuz6w4nzqvnhdfa4xtlmnm7puys6nznfj63qa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

29606f35cd9ea80936304ef255b1962b8ba4e20a97e40cadabb37da6785c0ff9

AgentTesla

38ed7c72a2e50891a633f64047a2a6ce5303c451a1e676a26f300d7bdd90138e

AgentTesla

60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96

AgentTesla

b1f530942db69e2f7a2823abab2ecc03eaed957101e7e6a7b53af823765df3a7

AgentTesla

bd7bc6f7691334319750e484ab95397c67b973ec0c0efd25c1227c4328630b28

AgentTesla

d3ab51dd012ef279251684ea215a050cfe913de2237daeebfbb2d52ceb5c896b

AgentTesla

e3dbadc32e9e198eb9c03b3c8a29bb4569838eb7089ed761aea6a496eb8f8157

AgentTesla

eed9c06050ec45f480528543bba5e3176158763beda21f62220bde77f0bdeb3e

AgentTesla

ff212016b3815373f569019169d3685deb1fea8c6d61f61df4e5dbbda08b952f

AgentTesla

+ 1'534 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201127-6j27wg51nj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

082b30183042ee25cffa27528421a7c5b78438ba1426ed684bea52f685b42a6c

MD5 hash:

26b05f5ab81cfa8929bc14d3d9143e16

SHA1 hash:

d4dc0b56d5537ada85868885fd012ab8e8ee3f46

Link:

https://www.unpac.me/results/2ee690bb-0193-420e-b881-e726fd425596/

SH256 hash:

2cc68191492d95dee7ce158439d9b56febe130a284ca1ad8158029470646c7e8

MD5 hash:

a5ea9f42c7d66f9e1a9592d511b18889

SHA1 hash:

cb6c94454a2f23cd7550ae8bbec9e292dc88ce58

Link:

https://www.unpac.me/results/2ee690bb-0193-420e-b881-e726fd425596/

SH256 hash:

a3a008b87ded765ed76c9bedd06dbae5f62edd573da15d376cb3fb91b4bd7f09

MD5 hash:

5ae25f51e2881f74cc9e057ef48c02a6

SHA1 hash:

a8e9e48e0e788e76ce01e923946bfb0c2098b39c

Link:

https://www.unpac.me/results/2ee690bb-0193-420e-b881-e726fd425596/

SH256 hash:

4e303050b420e9c3e0babb240bf2068fa2b5d3a95c99734c8b160fc46afc3f0c

MD5 hash:

fd50030def908536609835d05616685b

SHA1 hash:

76f8d934c4c021780c872d27c69abd098f4e0dff

Link:

https://www.unpac.me/results/2ee690bb-0193-420e-b881-e726fd425596/

SH256 hash:

961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0

MD5 hash:

efab4797e8f0bd00f13d6303b9875ca9

SHA1 hash:

4020126b35149fafa6447dbdfd3183a5d9c35dc8

Link:

https://www.unpac.me/results/2ee690bb-0193-420e-b881-e726fd425596/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Barys

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/105816/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample