MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b68f9419a52a690f1572c9d38e3311ec2ef9007935354e1122bff14c41b7e9b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b68f9419a52a690f1572c9d38e3311ec2ef9007935354e1122bff14c41b7e9b2
SHA3-384 hash: 184fb796c1a3ceb7eb3ffc98f28c31068ed4450f922940f3338a0f5b0bb0963c1a8db278326528ccae0bb6e9ad1573f3
SHA1 hash: 1f0f895ae78274c4add3be2800ca46339a12862a
MD5 hash: f1e562cd2288a33b2d446df015d64916
humanhash: high-eleven-washington-mississippi
File name:one new parcel.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:949'760 bytes
First seen:2021-04-07 14:40:12 UTC
Last seen:2021-04-07 15:56:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:5hbNkJSDTW+XbaRI0/w4RQxPVc4Q0QcedRtDcVYr:LxkJSDTbXWRIavKzc40cedRh
Threatray 3'759 similar samples on MalwareBazaar
TLSH 2F1501716294171AE87ED775902500100BF7B90AE336FB6D7CAC528D1A62B43EB33B5B
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
one new parcel.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-07 14:44:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d0459812-50e8-4b0c-a371-1cbf53140e7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132871/
Detection(s):
SecuriteInfo.com.ArtemisF1E562CD2288.1581.10088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668819
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b68f9419a52a690f1572c9d38e3311ec2ef9007935354e1122bff14c41b7e9b2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 14:41:05 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2hzignffjuq6flszhjy4myr5qxpsadzgu2u4ejcx7yuyqnx5gza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6
AgentTesla
10d40d8ea3d7b67007bcba4f2286e136579e28c2a14c207ed522dde9063994e5
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
393581c18056d7a4d1f141bbdff6c4d9006c1d15443ec16567802b37209e7720
AgentTesla
62e4849bf2b02dd9508f6db60bc9f0d0e982ddfb607b9816e4a777c8cf5542ec
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
a3c0fba4670ffe0873aa0ac3d0d337e9ead4257b02ad2e768ae2c363b6a9bc94
AgentTesla
b8d2d8256bd8611011c3a33010dba982649acfbdce46270925ee14a6bdfa6d94
AgentTesla
c5d51b412716cb23b237dfb43f0cbd62191f357ccea814f37394e7d019221fb4
AgentTesla
e41c50d817a963a03c07188bda3e42f164f1ce189f2875dc7f5125594d4ec159
AgentTesla
+ 3'749 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210407-e59awe8y6a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/a534ef2c-1be4-4aba-b072-654b90225dc4/
SH256 hash:
b68f9419a52a690f1572c9d38e3311ec2ef9007935354e1122bff14c41b7e9b2
MD5 hash:
f1e562cd2288a33b2d446df015d64916
SHA1 hash:
1f0f895ae78274c4add3be2800ca46339a12862a
Link:
https://www.unpac.me/results/a534ef2c-1be4-4aba-b072-654b90225dc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b68f9419a52a690f1572c9d38e3311ec2ef9007935354e1122bff14c41b7e9b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

1e67398c0c0913f2a87304d916df5f586f4b52c8fa0acb719c041c0379887237

AgentTesla

Executable exe b68f9419a52a690f1572c9d38e3311ec2ef9007935354e1122bff14c41b7e9b2

(this sample)

  
Dropped by
MD5 ac5c4a968a2cfc1a535c087017b8fa4c
  
Dropped by
SHA256 1e67398c0c0913f2a87304d916df5f586f4b52c8fa0acb719c041c0379887237
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132871/

Comments