MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d
SHA3-384 hash: 4e2a8dd8556f75ca1963c103a7aabad2fc46c9119b2468b99dbd36e11e86a4e40764fcb2f66b872f756aacd775124e51
SHA1 hash: 79dc083ee22f5375068835776cbf79d8ad60fef0
MD5 hash: 723b81b1678222ffd6b6262ea5eba4b5
humanhash: ohio-april-william-thirteen
File name:COMPANY SAMPLES FOR OUR ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:798'720 bytes
First seen:2020-10-12 14:56:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:glr2TgdK1V8K191cIxybXZXZgP9wHPIHTqS:gl/dK/8K191cIx4Jq9AAzq
Threatray 494 similar samples on MalwareBazaar
TLSH DA05F02127A59F86E17E9BF50264215003F53A2B396FF21D2DC629EF6AB5F418600F73
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hydrometik.co.in
Sending IP: 193.142.58.25
From: Rupesh. Patil<purchase@hydrometik.co.in>
Subject: COMPANY ATTECHED IMAGE AND SAMPLES FOR OUR ORDER
Attachment: COMPANY SAMPLES FOR OUR ORDER.rar (contains "COMPANY SAMPLES FOR OUR ORDER.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70151/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.4900.18932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/488644
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 10:13:23 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgrlgy5ipu7yxrhrqt7jfh3aewwpjwsnan45lfpkabxiqsqsc6oq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19bb5246a84d821d1d51156b664d58f544ad7c0a2898b31472db6c7ec952cff8
AgentTesla
42a35c010a543435698dcb69c82b5388e4b91727ee147b9acc60679f4ea1626c
AgentTesla
4951ac0526f553174ab6263d7af02821f01f7563f256ad57ed3f9425693cdc8d
AgentTesla
5a6ff674194fd8f0b7221de0d402f383eec634054768bd2df0e7adc2fa825953
AgentTesla
94493ff262c556d80e0cbfd7bb7741003335e4a10f80111b2756499c6cd058f9
AgentTesla
9db4c4a75f04844a37e15aa0762751beed2422027496e06b76a435c953d94330
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
cec5d45ac266dc0a06c2fba342097f117d35cb931001e9ee873e0183de0e8fbc
AgentTesla
db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576
AgentTesla
dca8d76c88ee16a9e17e7481f2912e955530296f6ce71e77db7dbadcbffc5c19
AgentTesla
+ 484 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/201012-1sebv1347x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d
MD5 hash:
723b81b1678222ffd6b6262ea5eba4b5
SHA1 hash:
79dc083ee22f5375068835776cbf79d8ad60fef0
Link:
https://www.unpac.me/results/9c332b75-6a07-46d2-a787-c558175cd984/
SH256 hash:
0493e6a05b9f98cc6ab5de172d76b43763ea3d6b0f6ba3a4cd6f7d999b6e7697
MD5 hash:
67f4fa6590b997532032614f60afd181
SHA1 hash:
2ed01f7d0570b51c26bdf8bc8dcffd13f8e20038
Link:
https://www.unpac.me/results/9c332b75-6a07-46d2-a787-c558175cd984/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/9c332b75-6a07-46d2-a787-c558175cd984/
SH256 hash:
20f6b5e8b0f697eec9c2a4d14ac355fb0a1e94095f8631482b39b16a9ed312bf
MD5 hash:
de6872cf0e81a9e4955fa8492a626a97
SHA1 hash:
f96e5f5f4e04775ba4460cd8e46cb51622da5144
Link:
https://www.unpac.me/results/9c332b75-6a07-46d2-a787-c558175cd984/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1af8fae06cde440bb9c50d178cf81e1933ff1dd76b23fa65cf767232d5964e38

AgentTesla

Executable exe b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d

(this sample)

  
Dropped by
MD5 7a0c17867e993692a623439eb850f9e8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70151/
  
Dropped by
SHA256 1af8fae06cde440bb9c50d178cf81e1933ff1dd76b23fa65cf767232d5964e38

Comments