MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b73af6301fd4b0efff09e43dac97b8abf2e3d8d8eec3bee435002e320eaedf5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b73af6301fd4b0efff09e43dac97b8abf2e3d8d8eec3bee435002e320eaedf5f
SHA3-384 hash: 61ddfe71fbd473b12129b35b06574ca93ca8018d6f2873243d3689c79f0d95f7798a42d1c9dbcce4f86ac639933bb01f
SHA1 hash: de7f358e5a6422f673d6bb86c96c869519fb82ce
MD5 hash: cdad022617e075b15d9e3d3665a2d18a
humanhash: three-april-iowa-arkansas
File name:Outstanding Invoices.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:534'528 bytes
First seen:2021-02-12 09:23:52 UTC
Last seen:2021-02-12 14:29:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Z8ev3rSoYW3H7cftOuR6T6Ydrbm+R2CKr6LD37:Z5zSonLcVOuR6T6YtoRCD37
Threatray 6 similar samples on MalwareBazaar
TLSH 37B423089B589738F5A6C1BAEF660D9426B6C91C1863E709055DB1CB2D22FC39367F3C
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT SHIPMENT DELIVERY.exe
Verdict:
Malicious activity
Analysis date:
2021-02-12 08:03:26 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/1056b694-7c48-4a2e-b120-519cab4d070f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116906/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/606639
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b73af6301fd4b0efff09e43dac97b8abf2e3d8d8eec3bee435002e320eaedf5f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-12 07:25:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w45pmma72syo77yj4q62zf5yvpzohwgy53b35zbvaaxdedvo35pq._file
Verdict:
unknown
Similar samples:
5202a2ffe0b88802b22d6cd5009aed17424b969ee0a69d34848d0b1dc1818a33
AgentTesla
6118f0c08d35a0dacc436ecc89379620c5d966f7cba43a6148684dd4a06c81ad
AgentTesla
7d66022b23aa84304657d92e2594f56331036896d42538a6aed0f24c9db6ded9
AgentTesla
872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4
AgentTesla
9efbe2e08784ff116692693b1d1c759c6446741cc515662c2b1bacdc00809754
AgentTesla
e7a4a4b30f3fbf4f31548ae91975f0b9c866045e65a370d9c775433689db1adf
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210212-nxjftn8r3n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/4ef8d883-9a1c-4ab9-a553-08ca36500ad2/
SH256 hash:
ad46822f5ed6dba6ed0de6b3800ae3a46382619fb26692abe146ff4cb7f32326
MD5 hash:
81318106cb139004ce956b7e2eaa2ff1
SHA1 hash:
adfb000c0b397158d7a63cd884628ef201d28785
Link:
https://www.unpac.me/results/4ef8d883-9a1c-4ab9-a553-08ca36500ad2/
SH256 hash:
ebb3a21f89dc29c6f477a9772635bff83525692bd09ff28e820f7cc0bde15dc4
MD5 hash:
1ae6c8e3b78f5bc5361d925db2920ba0
SHA1 hash:
798047f346f985eb9cff84edbeb1fa69c97fefae
Link:
https://www.unpac.me/results/4ef8d883-9a1c-4ab9-a553-08ca36500ad2/
SH256 hash:
b73af6301fd4b0efff09e43dac97b8abf2e3d8d8eec3bee435002e320eaedf5f
MD5 hash:
cdad022617e075b15d9e3d3665a2d18a
SHA1 hash:
de7f358e5a6422f673d6bb86c96c869519fb82ce
Link:
https://www.unpac.me/results/4ef8d883-9a1c-4ab9-a553-08ca36500ad2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b73af6301fd4b0efff09e43dac97b8abf2e3d8d8eec3bee435002e320eaedf5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz b3100245e835d47407cb39813b2739be347bfc8c3d1a8a32517959849f8cbc46

AgentTesla

Executable exe b73af6301fd4b0efff09e43dac97b8abf2e3d8d8eec3bee435002e320eaedf5f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b3100245e835d47407cb39813b2739be347bfc8c3d1a8a32517959849f8cbc46
  
Dropped by
SHA256 282c727a81da8bad800396545090e553673ca31c1df8281d4f2106dbe7afdc66
Cape
Cape
https://www.capesandbox.com/analysis/116906/

Comments