MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a944f09589ba97e55ee91de25b37708a24d1fed73b3b9af848d5ea8fa097f89c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a944f09589ba97e55ee91de25b37708a24d1fed73b3b9af848d5ea8fa097f89c
SHA3-384 hash: c68f66e4d4bbf21f5b0ada014bd73966fc7f189494e3d7ec39a9895b34484a964b05690158018ed29e522ccc23cd0872
SHA1 hash: cc24e6fdf7cf85f7b783ec842d85e9333408811c
MD5 hash: 539b638382735350da38900a8d1eb22b
humanhash: sixteen-thirteen-sad-papa
File name:Jan 2022 Last Order -1102990_DOC_00902011.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:557'056 bytes
First seen:2022-01-31 09:17:30 UTC
Last seen:2022-01-31 13:11:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:NqVO7Ja3pML8kx6Q/YuJUZsVpX5ZqPCVCtVkMn43p:4VOVMMLLB/T4spXqa0Vva
Threatray 14'854 similar samples on MalwareBazaar
TLSH T115C4BEB4A1A78551F10BC974257CFDB101B231E3A9CA0D3967397200CFAEF997E85A4E
File icon (PE):PE icon
dhash icon 8cfcd89cccc8d0b0 (23 x AgentTesla, 14 x Formbook, 4 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Jan 2022 Last Order -1102990_DOC_00902011.PDF.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-31 10:23:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/44d97836-f936-4fa0-9351-285670d3a80a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228367/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f7a94dd7fd65ae55fbb1ca/reports/25a1d2a3-8d31-442c-985c-979440fb5f76/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c525c79b-25d4-4b34-bbce-0afd5384dbc6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930849
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a944f09589ba97e55ee91de25b37708a24d1fed73b3b9af848d5ea8fa097f89c/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 09:18:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 28 (64.29%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfcpbfmjxkl6kxxjdxrfwn3qrisnd7wxhm5zv6ci2xvi7iex7coa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
0189582c34e9323a75587e658e6bc3382d9ea24afd777856f9d50af7f47b0a17
AgentTesla
219d72f76107e3313c1429c9dccf1823df0308c6310458ede62d3d0d9b6e9579
AgentTesla
2d8c309657fab94b3ff5f82de799ceee9a059a06792158e03903c39a32ee780e
AgentTesla
3bde2ad937153d68a084a34cd460817a4989d1e461b4d5ceb4ba2288cc230d1f
AgentTesla
843953f91f7a0cea202cd389974f9bbfe111934bf175af7cb0e44804be5b9b4d
AgentTesla
cfb8a1527805e6c29ef92603973ad865462703d06e8acf31887fb56bb905154b
AgentTesla
fae1d2f06c1a94881d1182a778c42cd1078d47ff2784d94384bc676b9779be8a
AgentTesla
+ 14'844 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220131-k9nbashed2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
783a2a2ec8277f3f13b9a96c4d66c3ec0a267cc669d50f15d4547cf85cbba05b
MD5 hash:
8910621194307d18d1ed10c60796941a
SHA1 hash:
def240740ee26a2fde8c0a814888bb7ce7e6451d
Link:
https://www.unpac.me/results/b8abd5cd-55fe-4b59-831e-b7504c8a0956/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/b8abd5cd-55fe-4b59-831e-b7504c8a0956/
SH256 hash:
33ccc8d2b26074ec9f93a884c4750bceb71d915130f350cfb5619600388eb263
MD5 hash:
d8c593739ed9950f9cc53c2bb3ec3e43
SHA1 hash:
0c6693fdadc48173ee437507126e8633ccf244a8
Link:
https://www.unpac.me/results/b8abd5cd-55fe-4b59-831e-b7504c8a0956/
SH256 hash:
a944f09589ba97e55ee91de25b37708a24d1fed73b3b9af848d5ea8fa097f89c
MD5 hash:
539b638382735350da38900a8d1eb22b
SHA1 hash:
cc24e6fdf7cf85f7b783ec842d85e9333408811c
Link:
https://www.unpac.me/results/b8abd5cd-55fe-4b59-831e-b7504c8a0956/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a944f09589ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a944f09589ba97e55ee91de25b37708a24d1fed73b3b9af848d5ea8fa097f89c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a944f09589ba97e55ee91de25b37708a24d1fed73b3b9af848d5ea8fa097f89c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/228367/

Comments