MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afd4a2b60af8081a2ec7f9de5c4f19dc94f265364a84d6855890202b3bac1984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afd4a2b60af8081a2ec7f9de5c4f19dc94f265364a84d6855890202b3bac1984
SHA3-384 hash: 4da8f73be246fcbda51d147a60a616d1de152dde06cc567cb84a9eccf7fd8386643d5269b38e6f228211970d86f90ad1
SHA1 hash: c3f6747b70d6942d3f56e6f590cf57c1d091f52d
MD5 hash: 2c02273735efe9ee83b319ee056939ed
humanhash: mobile-blue-oscar-sixteen
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:803'328 bytes
First seen:2021-05-11 01:27:13 UTC
Last seen:2021-05-11 02:01:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Woq/DoxynUVZRH8gDnh+m+GZMHJXwziPm90tjc5sYdW2jsQKLP7nh:pW6ynU5nh+m+GZ0XPI05hj2jsQ0P9
Threatray 132 similar samples on MalwareBazaar
TLSH 9805BF2D66A46E00E9BD1A3FC561D57080FEED06AD03DA5E19F03DDFB9B6BB4C40160A
Reporter Anonymous
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2021-05-11 01:15:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c315b956-91df-41cb-be0e-da19a6c4ea41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154625/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Telegram RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778023
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afd4a2b60af8081a2ec7f9de5c4f19dc94f265364a84d6855890202b3bac1984/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 17:50:33 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7kkfnqk7aebulwh7hpfytyz3skpezjwjkcnnbkysaqcwo5mdgca._file
Verdict:
unknown
Similar samples:
03031069effcc682a77ef6309fa1cea1ea2393dc4e385312952ca9b245ec4a09
AgentTesla
23ae26a2920f4b2fefdc074fa7f052da44992bd4ad639711eb38f8e11241a2b5
AgentTesla
8bcb7a8a5ec451753b7e49d1b58b68ec07df0de5a4a24e5bfa29adc53d21d558
AgentTesla
9885e59ed40fe0dd7227188294b241c1c4d2d488c656c2409648efeeaf560d07
AgentTesla
988bbad8a48d5a66c06478290c947492ae662576793a26028d9a87fa652b84aa
AgentTesla
b0f770f98c7385bdc31fdb8429b6d6e31e40a005cfdaeb9539f92eac357ba486
AgentTesla
b603fd540d4a4e79052ee4b93a3b4155eb2bacc3fd15ef9e4a9e9d94060c522a
AgentTesla
d5cbdab4cccf60d538b29be7dc3974f279cdf7c50689736120649820ea9f7d32
AgentTesla
e07c6115d9384a13918a22ac6f22631f78a9f18f8eaf3a945c6ba80ba91d713e
AgentTesla
fffe3f46408bc216dfa3fbb9f927b1d6ce8c1ba48b0a7bf2d419d9893260f732
AgentTesla
+ 122 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210511-5pkfxzcnme/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1154382515:AAEp6J5Hnbzd_K5BwkIUAh2gZUsIbEsrbHc/sendDocument
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afd4a2b60af8081a2ec7f9de5c4f19dc94f265364a84d6855890202b3bac1984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154625/

Comments