MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9814c6959d79cae63bbff31a0c677e4eefade63e272f68047a54e715ddb445a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9814c6959d79cae63bbff31a0c677e4eefade63e272f68047a54e715ddb445a7
SHA3-384 hash: 50084ba41cd4b304c5fd93102ef6ad6943229e57b1e0b4c075b633bffb316a9ceb7bf0ac1bcb531b8e44ca4eaff46543
SHA1 hash: 158ba91ca6a7474cf0b325ee1b34e051e4446bac
MD5 hash: 92edc07e62ff8a09999bebb6e679b18d
humanhash: blossom-early-zebra-grey
File name:PO No. 104393019_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:756'736 bytes
First seen:2020-12-03 08:35:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:hp1mjmvJCLzz92hs6hNNm8w/QDfjSupvLN5qlI2ahRAuEnSiMajS6ctUWJTN2qPB:hzpCLf99SNFwYD795LN5qm2XSiMaQtU5
Threatray 10'906 similar samples on MalwareBazaar
TLSH D2F48E35AF591A3AF53AAB7CC1B02055A7EE6793B307CD9D2CB211C90B23D029AD153D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.palmercreative.co.uk
Sending IP: 185.217.43.142
From: Bahr Muhammad <info@albahralarabi.com>
Subject: URGENT PURCHASE ORDER No. 959309292
Attachment: PO No. 104393019_pdf.gz (contains "PO No. 104393019_pdf.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106548/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42726.7922.9189.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/554431
Signature
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9814c6959d79cae63bbff31a0c677e4eefade63e272f68047a54e715ddb445a7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 08:36:11 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=takmnfm5phfomo576mnayz36j3x23zr6e4xwqbd2kttrlxnuiwtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2a5ec1ff4f810763ca38afc292dfc2d6d39242d2c5a6f4dde705b195357f3d15
AgentTesla
33bf5c7e008702144c8ec88d5e22c80609463864658612f818d43ca963a5d156
AgentTesla
43456ccf78231f448437d34b0d8e0f539fe2713743928d8bba119207b8b5f22a
AgentTesla
63301b24f3d0794ef1dfac023a0eb80f731e88f270f56060c82e6de18710fe28
AgentTesla
79ad68c6a6fc1e8dc7ba1f2bee73acaa313553cb1c7737101cf1bdead4231e7f
AgentTesla
7d47aae61d6960e7900bb2102b481114a8d948f13cc404082f376786e88959ad
AgentTesla
80d2742ad2aa2b84c5c32278be4a819400da0135ce52389e6ad711539d6ab9d6
AgentTesla
b05d95907bad3746cc161aa8bd74c71191a25fc383557fbf754d7c417daeb8f4
AgentTesla
ced74986e807f1b4dd969d4811e20b516b11b39d0d8681ebadf9123a6de30b7c
AgentTesla
f9e0e3eb49ce4d6156f30deddef92e6b750d24ccafff82afdbe842244894c156
AgentTesla
+ 10'896 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201203-9h76q3wdv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/af75b76e-b581-4d08-8583-b555b0fde90f/
SH256 hash:
9814c6959d79cae63bbff31a0c677e4eefade63e272f68047a54e715ddb445a7
MD5 hash:
92edc07e62ff8a09999bebb6e679b18d
SHA1 hash:
158ba91ca6a7474cf0b325ee1b34e051e4446bac
Link:
https://www.unpac.me/results/af75b76e-b581-4d08-8583-b555b0fde90f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9814c6959d79cae63bbff31a0c677e4eefade63e272f68047a54e715ddb445a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz a0bf14d6b3484e4f60f4d8861ef11334159f1174800a3ac7a86ee25db563a4a9

AgentTesla

Executable exe 9814c6959d79cae63bbff31a0c677e4eefade63e272f68047a54e715ddb445a7

(this sample)

  
Dropped by
MD5 e2545d337582edd92318c81209d7ec32
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106548/
  
Dropped by
SHA256 a0bf14d6b3484e4f60f4d8861ef11334159f1174800a3ac7a86ee25db563a4a9

Comments