MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601
SHA3-384 hash: 72cd9c26385b363b5896cdae466cd33edf9ce356b78b9ba994bc7ed15765494e0c526714ac47ed4638241e7ac6ff33e6
SHA1 hash: 54799b990802d9492cdf911847b0b9f7e63d21bc
MD5 hash: 639630f820d080aa0598dadc0c91605e
humanhash: speaker-lactose-summer-red
File name:POAZ566-WWL-005A Lesser Pavey Ltd HSL Worldwide.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:460'168 bytes
First seen:2021-04-04 06:37:32 UTC
Last seen:2021-04-04 07:58:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ayPQ3rccrmf91UIeCactuXhOOEjg8D2jcDbD30J:vQ3uf9XetkuXEU8an
Threatray 1'474 similar samples on MalwareBazaar
TLSH C3A4F2D1E28462B2F8BA0E75511196E40577FEFAE405AB3E2080FE6B31735C37671A1B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.essae.com
Sending IP: 14.141.34.42
From: quote the prices <mollah.sari@yahoo.com>
Reply-To: mollah.sari@yahoo.com
Subject: April combined order
Attachment: POAZ566-L.lzh (contains "POAZ566-WWL-005A Lesser Pavey Ltd HSL Worldwide.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
POAZ566-WWL-005A Lesser Pavey Ltd HSL Worldwide.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-04 06:41:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fc77847-6c9f-4319-89c7-c59a5ff298dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132063/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.10264.29787.15001.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50b66d69-a63c-40fb-8952-f2790f959c3f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665495
Signature
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601/
Threat name:
ByteCode-MSIL.Spyware.OutBreak
Create hunting rule
Status:
Malicious
First seen:
2021-04-03 12:49:46 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ur7jog6xnwrz4gbqoqsmnp5m3gxnqmattsziel4ufwlsendh4yaq._file
Verdict:
malicious
Similar samples:
202e40782853b6efd0c62a2cbdf33891463302014b21b026ef35d51e2d889bac
AgentTesla
20e0f8561c714292edd786c9d77983c8777d8d5740758e43c08ab899e5c00023
AgentTesla
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
AgentTesla
5523b6368db651832484529a46f8c4ce6661b4770e10081937b4014c97c2197a
AgentTesla
733b9a08b05ec70c7ac0d28dd9b9e832c85e668342fffe880e0e2ab5222de082
AgentTesla
757de1bfe2ba8c069cad8938b02383d54fbc1ed0823ca0f8374c34ae12ee0ce8
AgentTesla
7aa143c3f67105e841d5a8ff20aba989f6647de80b28941d268af1408c42dc4f
AgentTesla
d1e921ec22569a704a14331c50debac40a81103e712b59e64c97ecfa01153fde
AgentTesla
e304360ae3cd976383d8593e91f3f3bb95ab4f56f90d281e390e64b9f9b45a10
AgentTesla
ebfb1ff1b4c2b59183abffb8fbc8fd8271d0756868ceca9b72b26cfee8030ec9
AgentTesla
+ 1'464 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210404-7rb1sgk66e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
42968f9b35cf41c2ff9fa21929a2bc596985ddfbd22e1d77ac426296f8f24336
MD5 hash:
531f94ffcb0b5443a87519f102daff08
SHA1 hash:
5cb1d556b8bc62999b8a7ace3b3b2f5dc3c6c410
Link:
https://www.unpac.me/results/e772c07b-ab09-4ba8-b975-2eb80eb7384a/
SH256 hash:
a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601
MD5 hash:
639630f820d080aa0598dadc0c91605e
SHA1 hash:
54799b990802d9492cdf911847b0b9f7e63d21bc
Link:
https://www.unpac.me/results/e772c07b-ab09-4ba8-b975-2eb80eb7384a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d6fdab320ccb62c703f9030c92f68d8100097467a0ac40a1e173a2c7e871932b

AgentTesla

Executable exe a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601

(this sample)

  
Dropped by
MD5 0a492ba11ac992ddf7c8561f77322a1e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132063/
  
Dropped by
SHA256 d6fdab320ccb62c703f9030c92f68d8100097467a0ac40a1e173a2c7e871932b

Comments