MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e796c1f6b0e0d824d6b212941ba3d421452f2e9a37ad98c391ba5761de7e22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2e796c1f6b0e0d824d6b212941ba3d421452f2e9a37ad98c391ba5761de7e22
SHA3-384 hash: c38c7835a8e394bdc216c314bd9ca8ae04320867817e0ab7f7a4ea40230c8bae2d55e0db0c7570ab0ec8b55871e5d895
SHA1 hash: 217bcab674b0622df483e81d9606fc8b1e35ab0f
MD5 hash: b27cea12a0b4de7a9fb32e1ca608d2a1
humanhash: london-oxygen-yellow-helium
File name:AWD1-2001028L PI.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:670'208 bytes
First seen:2020-10-20 08:33:30 UTC
Last seen:2020-10-26 08:35:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:PdqYzLzMo9fP2RT3Z40WzWlmS2ltXT9A1GKZHNYPzod6U9P7r9r/+ppppppppppR:Pv8oJ2RT+UTM55A1GUKzodJ1q
TLSH 3CE48B80D5856AA0EE5D9BB1653ACC3587333DEDA970E41C28DE3EAB3BFB7925110413
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 162-144-89-139.webhostbox.net
Sending IP: 162.144.89.139
From: Yusuf, <Yusuf@youngonectg.com>
Subject: Re: AW: AW: Invoice and Shipping Documents 
Attachment: AWD1-2001028L PI.gz.zip (contains "AWD1-2001028L PI.gz.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73358/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/497361
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2e796c1f6b0e0d824d6b212941ba3d421452f2e9a37ad98c391ba5761de7e22/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 04:04:18 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wltznqpwwdqnqjgwwijjig5d2qquklzoti323ggdsg5foyo6pyra._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201020-ekp5wa5g1j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b2e796c1f6b0e0d824d6b212941ba3d421452f2e9a37ad98c391ba5761de7e22
MD5 hash:
b27cea12a0b4de7a9fb32e1ca608d2a1
SHA1 hash:
217bcab674b0622df483e81d9606fc8b1e35ab0f
Detections:
win_cannon_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4cabe6c-4803-4ee7-a77a-201d61329dbb/
SH256 hash:
24c477c9b5799a6bd71377c60ba55b56c0c0d43c1e93c425d48e6cebe0d00251
MD5 hash:
b81c78f53c3fe07aa34070593db90e68
SHA1 hash:
6010b2ed68f0c29eac9c0fcf9c5903903119e7fb
Link:
https://www.unpac.me/results/b4cabe6c-4803-4ee7-a77a-201d61329dbb/
SH256 hash:
1598252ea9a2c4dd4fcf34f34ca516d44bf46a6521b77ad201ff8111e57aa1b6
MD5 hash:
46d3a19def62a3e248ecedbaf33f6722
SHA1 hash:
cd3cb50a7b8740e3c43aea97ff5659fbc75e89bb
Link:
https://www.unpac.me/results/b4cabe6c-4803-4ee7-a77a-201d61329dbb/
SH256 hash:
8e078c222c56973d53ec3e707a61a6258f99dc0308d46951dd650fe34159fdf5
MD5 hash:
adcbdc3eed3f0ab92731b592c1335835
SHA1 hash:
e738bf8cce49b0ebd1fdcbf9f3f631340c9132ad
Link:
https://www.unpac.me/results/b4cabe6c-4803-4ee7-a77a-201d61329dbb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2e796c1f6b0e0d824d6b212941ba3d421452f2e9a37ad98c391ba5761de7e22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_cannon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 13ebf611440689c9d35a9f91258074f588a584aecb6049acd6202a8ee6f36e98

AgentTesla

Executable exe b2e796c1f6b0e0d824d6b212941ba3d421452f2e9a37ad98c391ba5761de7e22

(this sample)

  
Dropped by
MD5 0c085b760845e4c5df5edcf07ebb2580
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73358/
  
Dropped by
SHA256 13ebf611440689c9d35a9f91258074f588a584aecb6049acd6202a8ee6f36e98

Comments