MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4aa4637f92e6d1f0faea8c071cd561b154e3539a169976ebede90acf6760b99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	a4aa4637f92e6d1f0faea8c071cd561b154e3539a169976ebede90acf6760b99
SHA3-384 hash:	bfd9033e4f6b038e2e68df5af752f990df4277557928dc7a5e1008908c8a0ef9634e73ae110de5b3abed4f6a23dc0cb3
SHA1 hash:	be655f8d720a3d6f20a6ffea7eebfcb8033cb3f3
MD5 hash:	40510e21e4d0beb74d4d0ef2f2871bda
humanhash:	ten-east-iowa-foxtrot
File name:	PURCHASE REQUISITION.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	581'120 bytes
First seen:	2020-08-27 05:38:34 UTC
Last seen:	2020-08-27 07:19:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:HUd6449PazvbbXXeo46Hu7lD5wYsCE6K4q2pkCAS3naFA16P10H35:4Zfb+oxu7l1s1RZuAOA06yJ
Threatray	54 similar samples on MalwareBazaar
TLSH	4AC41265023DDF16E5FD09BAA8BD724047F238A5A4B0D79DCF55E24A18FBB404B10BA3
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.com
Sending IP: 103.99.3.13
From: MITESH AUTO INDIA PVT LTD <Mitesh@mail.com>
Subject: FWD: QUOTATION
Attachment: PURCHASE REQUISITION.rar (contains "PURCHASE REQUISITION.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51587/

Detection(s):

SecuriteInfo.com.Fareit-FYV40510E21E4D0.31228.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/452273

Signature

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4aa4637f92e6d1f0faea8c071cd561b154e3539a169976ebede90acf6760b99/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-08-27 05:28:35 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=usvemn7zfzwr6d5ovdahdtkwdmku4njzufuzo3v632ikz5twbomq._file

Verdict:

unknown

Similar samples:

013d92479d88b8e1c76b764f9362e1c101481b6c26ac40dacec77b7910ec7344

1b70d8bec1085949c128725ae5a8b69ccaeda7c20fb1e7be0d6e9ff2b5ef1a85

3b70052787ba01b0f7d97fe6bb0278e739e0837d827769710e0514605ab6b474

47a8274c13d1205f8651a7b2df233e51e59b369ce8250cc755ff61d422afa561

483fc85417b647e1100ca61a281e1c2bce0d2a7d66db220f72ec4f1f2d7e2ab9

82c21c0385cf81bd1bebb5be82fb080207e1189729202980c408151692637a02

98d4b7190b6a816819aa380c586680a0b5129d9516d51a2eed25f6399c93b23a

b2532be6f4f18504d0cdb50f75d84d41880203d3ad0d51a499ea8d48b2d97a64

bcef7d2e4880300c71e62f7115a3fcf5d4fd3d3a3d8684c1c9a17fd777956e0b

cb77918ae8d2691de468c12d6a6074156a81b7774eadbd7197038285140d94cc

+ 44 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200827-lhztbh24k2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/a4aa4637f92e6d1f0faea8c071cd561b154e3539a169976ebede90acf6760b99

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 4f4f6eb511e3968c7473d795f816224ce53bdaff081d87e8399e6efdcab42173

exe a4aa4637f92e6d1f0faea8c071cd561b154e3539a169976ebede90acf6760b99

(this sample)

Dropped by

MD5 a747b9559e2a63f7216cb36b37d64b52

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/51587/

Dropped by

SHA256 4f4f6eb511e3968c7473d795f816224ce53bdaff081d87e8399e6efdcab42173

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample