MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af591893605b2f2c9e89e8e6752dd0b8ee8194362edba927513ecd43bac5c1e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	af591893605b2f2c9e89e8e6752dd0b8ee8194362edba927513ecd43bac5c1e8
SHA3-384 hash:	eea4fea4f372613cf28c65af8e039f1924944b48635655a41a3e42a0d82c20dfdce22eb577954ed3450e84e01fb340e4
SHA1 hash:	eb180807175f47ae2691e58623ba64b3741415f8
MD5 hash:	d817da56a8c990965cc99e0180d7221a
humanhash:	finch-cold-queen-quiet
File name:	PO#90KY_pdf.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'249'280 bytes
First seen:	2021-04-07 11:20:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:20bcVeMHDnrJP36dGApYa7E3l2rJky4MuWzxQiKUT:ktjnMd1pBE4rJn4MTFQW
Threatray	15 similar samples on MalwareBazaar
TLSH	8345ADD1EE86EB48D17953F4D05C811883F1EE4AA325DE493D8CB38C5571A8ECAE52F2
Reporter	abuse_ch
Tags:	AgentTesla scr

abuse_ch

Malspam distributing unidentified malware:

HELO: vm2057159.21ssd.had.wf
Sending IP: 185.250.207.134
From: Logan Projects <orders@logan.co.za>
Subject: Logan Projects Purchase Order
Attachment: LoganProj-PO46523_pdf.img (contains "PO#90KY_pdf.scr")

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO#90KY_pdf.scr

Verdict:

Malicious activity

Analysis date:

2021-04-07 11:54:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9d6bd4c7-8036-4c72-acc3-1fcc4669842f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/132837/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624.32009.4661.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/668601

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/af591893605b2f2c9e89e8e6752dd0b8ee8194362edba927513ecd43bac5c1e8/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-04-07 11:21:13 UTC

AV detection:

15 of 47 (31.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v5mrre3almxszhuj5dthkloqxdxidfbwf3n2sj2rh3guhowfyhua._file

Verdict:

unknown

AgentTesla

5c8301f5ec2ae8cca6eb7aca8cd2578811019bcc261e16fe84f1bf7231676805

AgentTesla

7c98a7aee7d155bc8632cae1ff09120f88483adfa77205e6b74253e9d652e2b6

AgentTesla

7e585caf6d39d5596d2f74e12de5c1d5e3d00fb9eaa2341808d13fbe7db70d4b

AgentTesla

9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c

AgentTesla

ae1efe48a48d407e61531703344339809994b4c1bc339cdd4e4f5a4ec9f498b7

AgentTesla

c9ecc8ac0893475d6852cd5aadf9ed6c5378e45f281b92ee948def1c7f9263f3

AgentTesla

dc377a33af6a32885d2ad71c2f0495372f5aac992d25fa0239ecc9aeec1d482b

AgentTesla

efa63822d503d39c7cf4ed12eea7c23780a146214aafcf5b74a18b859c5ab5ca

AgentTesla

ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362

AgentTesla

+ 5 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210407-2psjhmpqln/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379

MD5 hash:

95dfa1a9015a17a1d49b4faa3f3d999d

SHA1 hash:

427b72727b28436554d0443d797f19b2ea37cc16

Link:

https://www.unpac.me/results/d387429e-6f1a-4fcc-bda6-8e6b9294af08/

SH256 hash:

af591893605b2f2c9e89e8e6752dd0b8ee8194362edba927513ecd43bac5c1e8

MD5 hash:

d817da56a8c990965cc99e0180d7221a

SHA1 hash:

eb180807175f47ae2691e58623ba64b3741415f8

Link:

https://www.unpac.me/results/d387429e-6f1a-4fcc-bda6-8e6b9294af08/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/af591893605b2f2c9e89e8e6752dd0b8ee8194362edba927513ecd43bac5c1e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img f90867ae287398ce9cde1d08f2223f188483bb5ef0ace82b071964b64270f5ed

AgentTesla

exe af591893605b2f2c9e89e8e6752dd0b8ee8194362edba927513ecd43bac5c1e8

(this sample)

Dropped by

MD5 ac2edc59321e246a08e05437b0aa1934

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/132837/

Dropped by

SHA256 f90867ae287398ce9cde1d08f2223f188483bb5ef0ace82b071964b64270f5ed

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample