MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b940b5de107ce0167b1c0571795e10fe2ee4dbb38cd0eb658ac9979694eb24dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b940b5de107ce0167b1c0571795e10fe2ee4dbb38cd0eb658ac9979694eb24dc
SHA3-384 hash: d2301d5a4f9cb4cd83e0f28735968b08afac9df86472636cfb705492d50692f5c69c8a7bbe7b68fe91726100f2f4375a
SHA1 hash: c663be995787911a7b4e7c8cd0743954cdf46a78
MD5 hash: 3bc5d48e059091ad7bad2314dd61be65
humanhash: arizona-ten-kentucky-sierra
File name:Pejlestok8.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:162'824 bytes
First seen:2022-02-15 07:25:01 UTC
Last seen:2022-02-15 13:13:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:jbG7N2kDTHUpouDT/FjbQMDROyYnF62uby/ROr7Ey0tACPQ:jbE/HU//5QMdqnFjubY4t09I
Threatray 1'569 similar samples on MalwareBazaar
TLSH T144F3F1153640C87BE5A79330493A67BB4EF9E63125A64F870B517EB87D333918A1F322
File icon (PE):PE icon
dhash icon c070d88c8eeaf23e (3 x AgentTesla, 3 x GuLoader)
Reporter lowmal3
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:ORDREAFGIVELSE
Issuer:ORDREAFGIVELSE
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-15T02:20:41Z
Valid to:2023-02-15T02:20:41Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 736f72e9100489ef3aaf19bab9610154579c4ecb0f4cf2d2a3dcb290995f2357
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241543/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2943.30579.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a window
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620b5553a2660f3bb9d81330/reports/62edd77a-3b75-4c2c-9e41-2fb771eea1f5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e150ad2e-3917-4c27-aad5-32d5b66d7988
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939924
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 572402 Sample: Pejlestok8.exe Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 32 mail.hotelfundador.com 2->32 34 hosting.hotelfundador.com 2->34 36 3 other IPs or domains 2->36 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 5 other signatures 2->50 8 Pejlestok8.exe 23 2->8         started        12 explorer.exe 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\...\SimpleColor.dll, PE32 8->30 dropped 52 Writes to foreign memory regions 8->52 54 Tries to detect Any.run 8->54 56 Hides threads from debuggers 8->56 14 CasPol.exe 11 8->14         started        18 CasPol.exe 8->18         started        20 explorer.exe 8->20         started        22 svchost.exe 12->22         started        signatures6 process7 dnsIp8 38 drive.google.com 142.250.185.174, 443, 49796 GOOGLEUS United States 14->38 40 googlehosted.l.googleusercontent.com 142.250.185.97, 443, 49797 GOOGLEUS United States 14->40 42 hosting.hotelfundador.com 94.126.168.68, 49811, 587 FLESK-ASPT Portugal 14->42 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->58 60 Tries to steal Mail credentials (via file / registry access) 14->60 62 Tries to harvest and steal ftp login credentials 14->62 68 3 other signatures 14->68 24 conhost.exe 14->24         started        64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->66 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b940b5de107ce0167b1c0571795e10fe2ee4dbb38cd0eb658ac9979694eb24dc/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 07:25:14 UTC
File Type:
PE (Exe)
Extracted files:
196
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfallxqqptqbm6y4avyxsxqq7yxojw5trtiowzmkzglznfhletoa._file
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
AgentTesla
10f957f6ae25382ddca0fc6fbd364f20d6e4cfa2f49728167bc1504cd3be0c46
AgentTesla
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
AgentTesla
4fa28556557b228a0cabb6a51597217e09afdf58a140b1181f0bd8325e6e4d0f
AgentTesla
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
AgentTesla
7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8
AgentTesla
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
AgentTesla
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
AgentTesla
+ 1'559 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220215-h8za3adfcq/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/caad8f6f-d2cb-4bd6-987d-8022290f821f/
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
Link:
https://www.unpac.me/results/caad8f6f-d2cb-4bd6-987d-8022290f821f/
SH256 hash:
b940b5de107ce0167b1c0571795e10fe2ee4dbb38cd0eb658ac9979694eb24dc
MD5 hash:
3bc5d48e059091ad7bad2314dd61be65
SHA1 hash:
c663be995787911a7b4e7c8cd0743954cdf46a78
Link:
https://www.unpac.me/results/caad8f6f-d2cb-4bd6-987d-8022290f821f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/b940b5de107ce0167b1c0571795e10fe2ee4dbb38cd0eb658ac9979694eb24dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b940b5de107ce0167b1c0571795e10fe2ee4dbb38cd0eb658ac9979694eb24dc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241543/

Comments