MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c
SHA3-384 hash: 67a8f403441b1e9780199d92a749c7b7ee70177319cad95412c150025464c930cf29f955261820050ca155d151050f1f
SHA1 hash: 3d4d176492156f8d5a8abe9af6acf946c29607c9
MD5 hash: 3fafaca1548c1b2125d56742437cf502
humanhash: asparagus-arizona-diet-minnesota
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:843'776 bytes
First seen:2021-06-07 11:22:08 UTC
Last seen:2021-06-07 12:48:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:ftffyFvT1x9vHmjnXVPYNw9RvKJ9SzYe4AMPvVFRcrnQC:f8xWXMw9RvKJYzDZTQC
Threatray 5'655 similar samples on MalwareBazaar
TLSH D8055BF4F19899B0D15DC732C290DCBDE7A119FE9353892C19F88E8E2E13B8A9F59441
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-07 11:25:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9bb91f2a-58b4-4be1-abd7-683f1dce8b1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164983/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798032
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 20:57:23 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyptum6tt3wrwweztapyxireinheilnyipbsqbadflbor7rcbboa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07b7896911fbed2570ef9716256497017a3d2e57b4f992afc3c42aede186284d
AgentTesla
0f974bcf811dbe6c365320b6edfc39895131b0cc09810ea297c1d5a62b05d5c0
AgentTesla
1daf7e2b17fbb5d496223b1eec3fcf8efe3bc3ba1310bf61daef38fd740a6014
AgentTesla
2533bccd55634d0883662979a1ffef4f7d990f7153c28096befa93aee34beded
AgentTesla
37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34
AgentTesla
3fdc44d1ff4ac710c14a0bf17282299352f959c050d8d62d49890a1a57a424ce
AgentTesla
47ed9a694769d7cb9419f9a7250c67d109567589767862e20669be81536c60ea
AgentTesla
7f1eea4ae4283f6ab2ad283e0d650cf80a1f669b2d266560e9ace95d120c57b3
AgentTesla
a17de11c47636ac63c23de8fc6da983f6c7a90d2d36a50cb658716f655a666d5
AgentTesla
c9d6ca74d599512246ca68a50529db166f84796fd5eada0be3371ceb16a9d684
AgentTesla
+ 5'645 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210607-kxcdgzlgxx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1e7c66f6da06a0ea81371fb98d0e76424a600518b808140279c7ba8e06541ac5
MD5 hash:
8fe0389e4b903545421e42b628186cd2
SHA1 hash:
f6adc3d1a4ac995fad2a49474243d896b0236c2b
Link:
https://www.unpac.me/results/cd0391ed-4140-4878-be9c-ef0ab4ef66e3/
SH256 hash:
a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c
MD5 hash:
3fafaca1548c1b2125d56742437cf502
SHA1 hash:
3d4d176492156f8d5a8abe9af6acf946c29607c9
Link:
https://www.unpac.me/results/cd0391ed-4140-4878-be9c-ef0ab4ef66e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_generic_suspicious_hex_string_Jun2021_1
Create hunting rule
Author:Nils Kuhnert
Description:Triggers on parts of a big hex string available in lots of crime'ish PE files.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:susp_hex_string_Jun2021_1
Create hunting rule
Author:3c7
Description:Triggers on suspiciously long hex string that seems to be common in a lot of samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164983/

Comments