MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abdaf4a53afa53c8e19f41c04e55b34334e96331d1453c3c82a69ecc43fceccc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	abdaf4a53afa53c8e19f41c04e55b34334e96331d1453c3c82a69ecc43fceccc
SHA3-384 hash:	a4ad4673d70933631495db47e5af711326e02b6b78a0d83669b34533cd45a387c9dd7b4a93380369d4ee601fabdb04b1
SHA1 hash:	8d86168a586182fc3bdec3ecd00c8c1b58838665
MD5 hash:	cef53ea40229fa5da9993cd4566903b9
humanhash:	lithium-berlin-bulldog-utah
File name:	BARI MEDI ORDER INQUIRY 3756653_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	472'576 bytes
First seen:	2021-10-07 11:56:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:uqh9oCY/DRjChwiGmYQAxEWIp/LE/VGQazGHYkAD/xx5:vh95zhyHojENGQazkYkGxx
Threatray	11'771 similar samples on MalwareBazaar
TLSH	T16DA4F13A32A3CD05EE7547B6EC9DD05007B8E853612ACB3E6E8E71AC78127F54D805DA
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.africa-eco-resp.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BARI MEDI ORDER INQUIRY 3756653_PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-10-07 11:57:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c8e6b192-23d6-4d05-aa85-c4171d2f1774

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195829/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit obfuscated packed

Link:

https://www.filescan.io/uploads/615ee08fe3d213d202b9d1e7/reports/35bc6ef3-5bdd-4cf7-a7e7-8b7e249e221a/overview

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5ca2c613-4430-4c24-a906-8e0c373d90e8

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/866385

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Moves itself to temp directory

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/abdaf4a53afa53c8e19f41c04e55b34334e96331d1453c3c82a69ecc43fceccc/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-07 08:21:40 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vpnpjjj27jj4rym7ihae4vntim2osyzr2fctypecu2pmyq745tga._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0a9ce88cb32da5f8aab38458eb7b58db8ca8250a06e98d6c1a9eda48d7a1aac1

AgentTesla

3e48d983e3315501931c646f896a8189637f5b9d21c453b051cd17f2584ee3c4

AgentTesla

6013e3caddf97dac75bf9ed3596deecf54ad0150f0346326d1d6a6d077a62c6b

AgentTesla

7ba1408268ae1e9e2740961be6f5d3fe10de18aa03222b91c499b8a54d6e6a2c

AgentTesla

826b51c351a4dd69e6c82f9ad585537f076ce8461ee1a0dbe1cf1a4dc1bd20f4

AgentTesla

a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd

AgentTesla

fc22aaa35e5504461dd5ace02d041f7715bc25acf329d2070e02e854b54d4de0

AgentTesla

+ 11'761 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211007-n4k6jacce8/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

d52e65663384a47925d2501536fb2b7e1c6728c6541b973718936ba1f9018a7a

MD5 hash:

ad0723d59a8e536e1a0ebbe97bc1abe8

SHA1 hash:

4cebbe30631cb09b458b04f392d132ec180ef3a8

Link:

https://www.unpac.me/results/6176bfdd-9060-45aa-8ca0-75c5068a5c85/

SH256 hash:

fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03

MD5 hash:

c380b6831f456ac5cac08c78c0e4dada

SHA1 hash:

3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c

Link:

https://www.unpac.me/results/6176bfdd-9060-45aa-8ca0-75c5068a5c85/

SH256 hash:

3910dca9fe92f78aff537ac79e813b070dfeb186b54af9f0bdb846fa604e2a0a

MD5 hash:

305e0923afde9c57ee0cc0f77ce13a2f

SHA1 hash:

1a539b1b538549049df6e76de3e450f44b99b383

Link:

https://www.unpac.me/results/6176bfdd-9060-45aa-8ca0-75c5068a5c85/

SH256 hash:

abdaf4a53afa53c8e19f41c04e55b34334e96331d1453c3c82a69ecc43fceccc

MD5 hash:

cef53ea40229fa5da9993cd4566903b9

SHA1 hash:

8d86168a586182fc3bdec3ecd00c8c1b58838665

Link:

https://www.unpac.me/results/6176bfdd-9060-45aa-8ca0-75c5068a5c85/

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/abdaf4a53afa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/abdaf4a53afa53c8e19f41c04e55b34334e96331d1453c3c82a69ecc43fceccc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195829/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample