MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58
SHA3-384 hash: 1cc3f0a1d7f60a995682e1a62eefe587880f11e472f6da1e1472dddc1928fe3c795a159b6556f54ee50cdb018b5ced7a
SHA1 hash: 2d103b260d9e72844e590dc46b72f33a4e2fe178
MD5 hash: b52112bdfc9dddbdc6fbb9d736f44f5a
humanhash: march-delta-alpha-earth
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'577'984 bytes
First seen:2020-10-05 14:32:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Ph+ZkldoPK8YaHWgb1Q313x66bxkg6Me:Y2cPK8cgZQlpkg
Threatray 765 similar samples on MalwareBazaar
TLSH C775DF0273D1D036FFABA2739B6AF64556BC7C250123852F13981DB9B9701B2273E663
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68265/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/481665
Signature
Antivirus / Scanner detection for submitted sample
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-04 21:41:26 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbjndcp3xjurc7x4nyiodsw2h6xoqrgllg27bukie42jo3dsxvma._file
Verdict:
unknown
Similar samples:
12e5bd0d0f2a4e37702b096487a48992d98c846e79e9e0ef5c900e15e6e563f2
AgentTesla
48b1f899e7ad8d880a6bf9d97ada6507c4403c8d8e81815f83fb8181ca247008
AgentTesla
4951a0fc882c8d7590f4edac6f7b7e0408510d2db4353c3f5ff20c25ac60a92e
AgentTesla
628fb13f63d68b25083522f21c084fc565fd8fe57e05b95b35b76ac01fdbf5ff
AgentTesla
6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9
AgentTesla
7d0588c83332fe92ebabc72cc32b6d3ddc7d13e66e369d91285a78fdf625621c
AgentTesla
a84c5039384d4ad73322e65677792efec6cad75a240a98f7b5adebe6537ddd6c
AgentTesla
cda432c107c3fa22908941cec37a18edb507ceb2c83d70caf87031d2b5817afa
AgentTesla
da362c114efb6a8f52b94b4554a7dcf6594eb2408f16d22cbd3cdbc520eb86eb
AgentTesla
e897888dd36ab2a5740030d628f510ef0563d9d039e896b45134a4a5c4a82bb7
AgentTesla
+ 755 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201005-e2drt73c4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0897d0954dded59cbe044276d8a380bcd3e5d2fdc86bddb01d3dfaac14050737
MD5 hash:
b23f431cfbca2c6409e18459da7d2fa0
SHA1 hash:
a7b54495e410718a5dbb77a2b179fbecf016a7e9
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/1f6485a6-68a5-4614-8dc6-d686853436fc/
Parent samples :
b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58
89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e
62da90f49f3a05c5daeb2b9a5edafa5e67cb8e2b32929ce7cb800a706af1d99f
08f4ca4ce85d82c9c563f815ce1c23a1f1526420ad9982d3c23b44ab41470a4d
436f7e9402eba8912904874a6c8085cf85c80b57968372d51c50739b25849e12
88ee51250e47627f9b734c897249cdc14a295d7297494b1ec7aab981370185ba
bbc94437bf54f676a86709d278fdf0977f5bac33bbc0262377fd4054561535a0
ed2d120151830f0dd5f1ba2f201d05bdf90702efa5d41365bd54b9b04c15aa28
de86cb4227717aa6e3818fc1f0ec62d733b1e5e941f410db7c0065ea4c4f7e94
7423c0c0302e6fa4b8ddc313963caad4189b570e9f43b201e83cfe56953b1e82
ac4013eb7d6c5dbbf90b163c9ebc5cf8fe40090132635764de6624ac2e3faf40
92d887eebd56236c7b64d7c4df54d34b63910982eddf27769b942d524c39a4a3
SH256 hash:
b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58
MD5 hash:
b52112bdfc9dddbdc6fbb9d736f44f5a
SHA1 hash:
2d103b260d9e72844e590dc46b72f33a4e2fe178
Link:
https://www.unpac.me/results/1f6485a6-68a5-4614-8dc6-d686853436fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f0e866e8c615056f07f4a754faaca1f20cbf6452f004132aa43a64dbea862a13

AgentTesla

Executable exe b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f0e866e8c615056f07f4a754faaca1f20cbf6452f004132aa43a64dbea862a13
Cape
Cape
https://www.capesandbox.com/analysis/68265/

Comments