MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a87a9b5ea775ce73225d60195504623d4c285a72e43ee63fd1db4bce712dbdbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	a87a9b5ea775ce73225d60195504623d4c285a72e43ee63fd1db4bce712dbdbf
SHA3-384 hash:	16e945a9432cf2ac12ffda836704505f9c7fc3499206a38ab14aea8d59a60a0ccefb64f92baaad08fed5e9962ed38ac4
SHA1 hash:	82d03e5d2b2feabbbce67b95e2c75ba54e7121ad
MD5 hash:	0b90a47f6db7d519e47bc337ae2dee9b
humanhash:	leopard-arizona-freddie-speaker
File name:	Re,Purchase Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'169'920 bytes
First seen:	2021-05-26 07:27:55 UTC
Last seen:	2021-05-26 09:18:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:HDJqMlJqGQJqv9ow4Tz4VsvI5ZStJqThgGNxdN5xSeskyCLxeyDF3FTxRn9bMgTw:ldCp1/QRoeS6035xyKtuGKaUS8I
Threatray	5'273 similar samples on MalwareBazaar
TLSH	0E453A0523A86F2AE43E937C94E4440343F1F62BE351EE5C7CD163D90762F45AF9A62A
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/162237/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.763.21435.21311.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/792291

Signature

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a87a9b5ea775ce73225d60195504623d4c285a72e43ee63fd1db4bce712dbdbf/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-05-26 07:28:10 UTC

AV detection:

5 of 46 (10.87%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vb5jwxvhoxhhgis5mamvkbdchvgcqwts4q7omp6r3nf444jnxw7q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

40587d867fdf86bfe11a38eed3f96aa6496282881332cb053b2ef2e3f1c00e63

AgentTesla

5a5953c3eb2a3f323e0eeb4b30092026004a2408eadedd96818e505d26f7f846

AgentTesla

81fe567a5318074f174e51beb93e0099481033fd164473a9fea7e95b8124a529

AgentTesla

83a3a8c2e9829306fcf0d2d06244206bf2775412cecf3196ba38ef04404cf2ff

AgentTesla

b9f5d58f514d84db1f4bd429be5188d2fea106e03256b1e4c16e16da0e191f21

AgentTesla

bdc9849371891b1cab4067f7ae50dbdf2992967750f9385731ec436a7f316300

AgentTesla

c445780cd57b126311437ef6d7695d4038b447c0efb6701609c0cb5fd116c570

AgentTesla

ef84990e67f10821c9df29ad5297f27ba151bb4c6f247010373e8ebab2d647e0

AgentTesla

fae1d2f06c1a94881d1182a778c42cd1078d47ff2784d94384bc676b9779be8a

AgentTesla

+ 5'263 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210526-6tnhhh56rs/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a87a9b5ea775ce73225d60195504623d4c285a72e43ee63fd1db4bce712dbdbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/162237/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample