MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b82d4c69a52d09bfc91295d110d6798593d0cf6ab2607e326f12f2ca9caac71d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b82d4c69a52d09bfc91295d110d6798593d0cf6ab2607e326f12f2ca9caac71d
SHA3-384 hash: 12e4aceb2c02767491859aa0c27a8f7b860a506630c85a905f756f56940774180baf9da690df5f60010903f99cf64b92
SHA1 hash: cc4a4eb91144d07c10f1bdd7e6792af8b0566738
MD5 hash: 7d099c282cbdc3f53e238affd41e380a
humanhash: missouri-orange-leopard-oven
File name:Payment Details_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:47'232 bytes
First seen:2021-04-01 07:28:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:8HPW6sggdq85k9ICxGQMSXlGflxGflvx/FIwJGun51uS7sQljghW:EPW6jgdq8O9vjX77sQhJ
Threatray 80 similar samples on MalwareBazaar
TLSH 18230FE459B984E7DD6DFE3097D2680EA435FE7722114617C0A681C3CAF27921DC426F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.sertimsde.cyou
Sending IP: 195.242.110.232
From: info@sertimsde.cyou
Subject: Hsbc-Payment Details
Attachment: Payment Details_pdf.gz (contains "Payment Details_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Details_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 07:51:59 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/c14a1bd9-c204-4953-916a-00ea3f41d78e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/130528/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Moving a recently created file
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661807
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the startup folder
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379837 Sample: Payment Details_pdf.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for domain / URL 2->65 67 Antivirus detection for dropped file 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 10 other signatures 2->71 7 Payment Details_pdf.exe 20 13 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 11 other processes 2->16 process3 dnsIp4 57 asdcqwdwqx.gq 104.21.15.11, 49699, 49713, 49724 CLOUDFLARENETUS United States 7->57 47 C:\Users\user\AppData\...\VxDYIVno.exe, PE32 7->47 dropped 49 C:\Users\Public\Documents\...\svchost.exe, PE32 7->49 dropped 51 C:\Users\...\VxDYIVno.exe:Zone.Identifier, ASCII 7->51 dropped 53 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 7->53 dropped 73 Adds a directory exclusion to Windows Defender 7->73 75 Hides threads from debuggers 7->75 77 Injects a PE file into a foreign processes 7->77 18 VxDYIVno.exe 7->18         started        21 cmd.exe 7->21         started        23 powershell.exe 8 7->23         started        29 8 other processes 7->29 79 Antivirus detection for dropped file 12->79 81 System process connects to network (likely due to code injection or exploit) 12->81 83 Multi AV Scanner detection for dropped file 12->83 59 172.67.160.253, 49721, 80 CLOUDFLARENETUS United States 16->59 61 127.0.0.1 unknown unknown 16->61 63 192.168.2.1 unknown unknown 16->63 85 Changes security center settings (notifications, updates, antivirus, firewall) 16->85 25 MpCmdRun.exe 16->25         started        27 WerFault.exe 16->27         started        file5 signatures6 process7 dnsIp8 55 asdcqwdwqx.gq 18->55 31 conhost.exe 21->31         started        33 timeout.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 29->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        45 3 other processes 29->45 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b82d4c69a52d09bfc91295d110d6798593d0cf6ab2607e326f12f2ca9caac71d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 07:29:15 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xawuy2nffue37sissxirbvtzqwj5bt3kwjqh4mtpclzmvhfky4oq._file
Verdict:
suspicious
Similar samples:
19949d4abee41c81c343543fc5e71de14f297440940bceb3a8f2451c7edb7d9c
AgentTesla
4e5889dabf93d7e1e6a2880155bffdda4cb1b2f4de8b9924aa1820714fabbbe8
AgentTesla
5ef3c86e05749f489fa0e6ac47f42142b9215750f5764fe4d02bffde19b56f54
AgentTesla
712c1077c77ff7e4f69fc4184c29b82b796fe0103204dd95b3a620cb64005ac8
AgentTesla
971b23e89575ff2b47e5639b20f902f7b7ce60b9f771a973c1f02fe4a211fb90
AgentTesla
b64422c4e30cfeaa48bcd34feff0a7b56125307f0dad0447dfae34d3743f3bb8
AgentTesla
dd5b025ec562b7a10027aedae9f07c6b6db3851d27d81bca4bd6216718ba08e0
AgentTesla
e68b161747e78a666871a5dc503d39ae7b16718e2546fa7ac9c65b37fd9035eb
AgentTesla
f218bab46409d5be3646a0b3d7c5af1c177df659b7e5a1055d12019cdab9409a
AgentTesla
f5bed5c378921320c9c740e332e83dd05bcc3e888213f7478029c39fb200c583
AgentTesla
+ 70 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210401-j9s3jhf396/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Windows security modification
Executes dropped EXE
AgentTesla Payload
AgentTesla
Windows security bypass
Unpacked files
SH256 hash:
b82d4c69a52d09bfc91295d110d6798593d0cf6ab2607e326f12f2ca9caac71d
MD5 hash:
7d099c282cbdc3f53e238affd41e380a
SHA1 hash:
cc4a4eb91144d07c10f1bdd7e6792af8b0566738
Link:
https://www.unpac.me/results/ff1e05a4-7ca4-4eef-bdfc-36d2b8a9eb01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/b82d4c69a52d09bfc91295d110d6798593d0cf6ab2607e326f12f2ca9caac71d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 75eb22476e4f2943824599ef1d72d31dcbd490a21d7f22969418d88ea2b5456c

AgentTesla

Executable exe b82d4c69a52d09bfc91295d110d6798593d0cf6ab2607e326f12f2ca9caac71d

(this sample)

  
Dropped by
MD5 4c85cddc8e76eb2e4d27feda08d34541
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/130528/
  
Dropped by
SHA256 75eb22476e4f2943824599ef1d72d31dcbd490a21d7f22969418d88ea2b5456c

Comments