MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1b878bdbd6ae390efbb3d9ab026ad02a3ff1fe95786b814f494a967415215ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	b1b878bdbd6ae390efbb3d9ab026ad02a3ff1fe95786b814f494a967415215ef
SHA3-384 hash:	7d0df01f8d9a6fdefbe77ddd5dfd268d5713a84b318d422648ee434e7e4862452d53c89e4e3e654def37d696690d9db7
SHA1 hash:	385430041bcba65afbe23cf93df094488898305e
MD5 hash:	2024e2c86242cb9d85eed391638b5bf6
humanhash:	item-skylark-sweet-five
File name:	Payment confirmation copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	483'840 bytes
First seen:	2021-09-03 09:17:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:Ll+jt8uKSzpvlQTDTd72u7Szddgent0faqDydAP:LItHv0r7Sz
Threatray	11'147 similar samples on MalwareBazaar
TLSH	T16EA4D09D365076EFC857D9768D981C60EA61A47B431BE203A05722ADDE0E6CBCF120F3
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment confirmation copy.exe

Verdict:

Malicious activity

Analysis date:

2021-09-03 09:20:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c53cc0a0-bc77-42b4-bea4-cbb27ca293cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/185148/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Deleting a recently created file

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/773300e7-3218-4dc7-8f60-61d5ac3bb68e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/844685

Signature

.NET source code contains potential unpacker

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b1b878bdbd6ae390efbb3d9ab026ad02a3ff1fe95786b814f494a967415215ef/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-09-03 08:19:49 UTC

AV detection:

9 of 43 (20.93%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wg4hrpn5nlrzb353hwnlajvnakr76h7jk6dlqfhussuwoqkscxxq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1afd03b60a1b8ef6bc7a15e7ebab6c20a57004432b9d165c3b6bdabd2332a890

AgentTesla

39e51eaed3555fc629fcf1e0d980aff64a7fc52cec11ba53c53085495f81e8c4

AgentTesla

7c3d54c847083ffc958bb52818010560aed26dc24a67f6ada0cd5da75136e245

AgentTesla

99c823dce3f531e2a4d5c7ac84b74bb630cb344f281519927d4c202c8bac1720

AgentTesla

beb8e474611b28c6750fa0d04a244d5898d7f3a724150351bcfb31dce4921a7f

AgentTesla

c8b6a81e3265d871aa1aa3b678c603cdd7679585a4be435d1fd95d650a7eaf95

AgentTesla

ce7554fa09d44e22a27ff09a105b6a50c26b1b7476b79a6c18941bb6b7d96b30

AgentTesla

df44cd96fc150bf5fe37a7eb55c98f30edbe8899d2b7ed86f42741b99405a67b

AgentTesla

e010bf9f74b274d6370a889265f97093b84662809605c0a862e36733c3d06be8

AgentTesla

+ 11'137 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210903-k9l38sgafq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

MD5 hash:

29db2e114b88ae1f6a00c9aa71690043

SHA1 hash:

ec82db71443556a5b320357b0b8b09e70ec1db9c

Link:

https://www.unpac.me/results/a81bc196-ae06-4b3d-ace1-549c90d8ecde/

SH256 hash:

5aa7973e8bcd586d02341e0de6aee64a8301c8bc98c77d2df72fc166c22555ed

MD5 hash:

cfb23989e00c3ee9c88c8ab3033bbae3

SHA1 hash:

be14cd9c062a04fcf113ac00b803337bb99864dc

Link:

https://www.unpac.me/results/a81bc196-ae06-4b3d-ace1-549c90d8ecde/

SH256 hash:

a0c3411c9ece934c346bfaf0d81ef34e6261e6da7291c62efbff3e66249932ef

MD5 hash:

ee9231b3b71f173c9691dde76521f112

SHA1 hash:

5d744817f7cc17ccee0cfffbcce35f9fc79ccdaf

Link:

https://www.unpac.me/results/a81bc196-ae06-4b3d-ace1-549c90d8ecde/

SH256 hash:

b1b878bdbd6ae390efbb3d9ab026ad02a3ff1fe95786b814f494a967415215ef

MD5 hash:

2024e2c86242cb9d85eed391638b5bf6

SHA1 hash:

385430041bcba65afbe23cf93df094488898305e

Link:

https://www.unpac.me/results/a81bc196-ae06-4b3d-ace1-549c90d8ecde/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b1b878bdbd6a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1b878bdbd6ae390efbb3d9ab026ad02a3ff1fe95786b814f494a967415215ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe b1b878bdbd6ae390efbb3d9ab026ad02a3ff1fe95786b814f494a967415215ef

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/185148/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample