MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d
SHA3-384 hash: bab6a44fbcf48b11efafe64f0e443992b6174db4cca727dab4fbc594c9affcdf5b6fde440a19f0c8170730a77d772d9e
SHA1 hash: 49357c81c343129ed07befbf52acdb1b981f75d0
MD5 hash: 0f5b2bfb181e2e278aa4e00860b637a1
humanhash: delaware-beryllium-california-louisiana
File name:RFQ_110109564 11010965483- Vogue Sourcing Chennai Office.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'157'360 bytes
First seen:2021-03-02 08:07:33 UTC
Last seen:2021-03-02 09:27:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa25291894013102f014c94861e7259a (5 x RemcosRAT, 2 x AgentTesla, 2 x Loki)
ssdeep 12288:9R61okjK9imvFqzAUC9AXVA9eQqcYcST6EAmWv13bGPlbX2dypFA440CZLCRuCn:Dcw9isFqznC9SAsQ7m8dGPfFA4409
Threatray 22 similar samples on MalwareBazaar
TLSH 60357C90E2434831C53717799C3F5D34582ABE11A929E64A3BADBD7C1FF72C2282725B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: nitro.superhosting.bg
Sending IP: 164.138.219.24
From: Vogue Sourcing Chennai Office. <productions@voguesourcing.com>
Subject: RFQ_110109564 & 11010965483- Vogue Sourcing Chennai Office
Attachment: RFQ_110109564 11010965483- Vogue Sourcing Chennai Office.gz (contains "RFQ_110109564 11010965483- Vogue Sourcing Chennai Office.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_110109564 11010965483- Vogue Sourcing Chennai Office.exe
Verdict:
Malicious activity
Analysis date:
2021-03-02 08:23:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55eab92e-fd44-4ed0-957f-643ce5faa2d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120861/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/623458
Signature
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-02 08:08:09 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbrbf4jdyey5w3ivsvm3j6o7gnejizux5shcs6asdojfafdbtzoq._file
Verdict:
malicious
Similar samples:
2cd722bc4e448f38f4e79e69a48a7fc3f92c09586e50bc0f3f9f8dc5f4495fcc
AgentTesla
3aeac75dedb84f873b1982843de3adcf11d956f1645eb7a91625de0dd67f1f8a
AgentTesla
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
AgentTesla
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
AgentTesla
a2c3a1451cbc854d4b5929132eb96e9e34b2a1f3bedb490b26699381bb80eeee
AgentTesla
a84ff17c2a70d4953ce67e44cf6a3160feaf4a13d3bdad4aefe94810ef124c44
AgentTesla
ae1101f81ed495b405d0f80d678da0a6eff8e2f9c432734302ffb764b215de0a
AgentTesla
bbc467be402fa10957b329f79484dd0dfbf30ca52ed4275f0fa2085807786f5a
AgentTesla
c74a02a5fb3879870c5c5b0ead39c54dffd97ee414cae94360c6dd12d9d023ae
AgentTesla
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
AgentTesla
+ 12 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210302-d46t7nqjna/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e3c90bcc957e5471b59913a368326c7811a0592b83c5e78e8a471efdf33f6e0a
MD5 hash:
75b1f06bf00804a823311f296418c9ed
SHA1 hash:
fe86e556fa6f655a85515aa80c901e9ec253594b
Link:
https://www.unpac.me/results/1b78b8c5-2606-4c2d-83de-28ab5f151d2c/
SH256 hash:
422ebd4ea3389b71e7c69c17a1242815e1e0887167a0558c70a520c5f224c2ab
MD5 hash:
184a0ae4f76e0bff38f8991e731865e1
SHA1 hash:
ddea632a0e21c855ed033cf75f91f46c9714864b
Link:
https://www.unpac.me/results/1b78b8c5-2606-4c2d-83de-28ab5f151d2c/
SH256 hash:
558439dc27155d55931175803cf153050f60b725c130e99bd533fb6c9731edc5
MD5 hash:
da06d28e39cf35f19387b21dae48f73f
SHA1 hash:
7aefe193f7c62efbea56a5acf781070eeca9dd72
Link:
https://www.unpac.me/results/1b78b8c5-2606-4c2d-83de-28ab5f151d2c/
SH256 hash:
5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d
MD5 hash:
34cb499bbd566c24dcf888e9bab46083
SHA1 hash:
3bb97e3103868691e57e7cf3be88a7ff30f46ea1
Link:
https://www.unpac.me/results/1b78b8c5-2606-4c2d-83de-28ab5f151d2c/
SH256 hash:
b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d
MD5 hash:
0f5b2bfb181e2e278aa4e00860b637a1
SHA1 hash:
49357c81c343129ed07befbf52acdb1b981f75d0
Link:
https://www.unpac.me/results/1b78b8c5-2606-4c2d-83de-28ab5f151d2c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 6081a28045e31a0ce5fd473609bc0ae3c0c427fb9c58fea3a527273e38a2caf7

AgentTesla

Executable exe b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d

(this sample)

  
Dropped by
MD5 0ddb2cccc572baa850ee315955acaebf
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120861/
  
Dropped by
SHA256 6081a28045e31a0ce5fd473609bc0ae3c0c427fb9c58fea3a527273e38a2caf7

Comments