MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55
SHA3-384 hash: c8e0e0d8ff0db8bbba269745dab2262111924ee1244129d0fbb05f8979fd56f103f4fabf26633a2089da717f051b284f
SHA1 hash: c7a10e7192765089250fe6755b52c319c1579f60
MD5 hash: 1ab0d19b78e3aea83a6a07f505c0a747
humanhash: carpet-uncle-purple-shade
File name:MV. KG ASIA - VESSEL DETAILS 27-07.DOCX.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:691'200 bytes
First seen:2021-07-29 08:22:12 UTC
Last seen:2021-08-02 07:48:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:FlAjXxP/hP+5WyKVXY9KjcNPDY2AxRFHzf+KN8YH4+ejOjdUcPbCdkU7YgApu:XADxP/85WyKe9gcNPDsxRFHzfTKYY+e7
Threatray 7'552 similar samples on MalwareBazaar
TLSH T1B7E401711600049AFE9915B1C40ACE101F93796F51B1664AB0FB66DFDAE3331C673A77
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174919/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37310324.27095.24074.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d659bbd4-3d69-491c-bae5-9c0adaa04147
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/823647
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses powershell Test-Connection to delay payload execution;
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456059 Sample: MV. KG ASIA - VESSEL DETAIL... Startdate: 29/07/2021 Architecture: WINDOWS Score: 60 34 google.com 2->34 48 Multi AV Scanner detection for submitted file 2->48 50 .NET source code contains potential unpacker 2->50 52 Machine Learning detection for sample 2->52 54 Uses powershell Test-Connection to delay payload execution; 2->54 8 MV. KG ASIA - VESSEL DETAILS 27-07.DOCX.exe 3 2->8         started        signatures3 process4 signatures5 56 Uses powershell Test-Connection to delay payload execution; 8->56 11 powershell.exe 19 8->11         started        14 powershell.exe 14 8->14         started        16 powershell.exe 16 8->16         started        18 5 other processes 8->18 process6 dnsIp7 36 google.com 11->36 20 conhost.exe 11->20         started        38 google.com 14->38 22 conhost.exe 14->22         started        40 google.com 16->40 24 conhost.exe 16->24         started        42 192.168.2.1 unknown unknown 18->42 44 google.com 18->44 46 2 other IPs or domains 18->46 26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        process8
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 08:54:37 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vb76jufecbgtqwjgq6quaaxxbgj26wj74oyf7yutrbwii2navnkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
AgentTesla
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
AgentTesla
750ac1c22fae6298acf85f62700ebbc8ccd8aff1f3ff20b28d8baa075a73c4bf
AgentTesla
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
AgentTesla
a2116a39b0f6ba02799d74e44c3521e530685b6726b4443060a142f639d597d6
AgentTesla
abfd412e775e8a81efbd61484a67de9aed008c0e51910d9d8a9051c4ea9856b3
AgentTesla
b399203403e92ab8865f492c93233be4d4d1ac1316c571b43171a052c7b214d7
AgentTesla
cbf445acf88f00bf98448420369d09bb35264d53667272e3363fae6378fa7a1b
AgentTesla
f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90
AgentTesla
+ 7'542 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210729-tdjjntzwrx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55
MD5 hash:
1ab0d19b78e3aea83a6a07f505c0a747
SHA1 hash:
c7a10e7192765089250fe6755b52c319c1579f60
Link:
https://www.unpac.me/results/5c98fcd5-993d-4baa-b1a2-63f4acb49f03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174919/

Comments