MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd902536f41381af747346fb45f79e16204c8463418570f5681d9788777c5e76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd902536f41381af747346fb45f79e16204c8463418570f5681d9788777c5e76
SHA3-384 hash: b469c23ce3f77b58b0e3e72d67affd0d2a106d8240a411baf72f74aeba99c8d7dccae7219c45b36a03ce49204494108e
SHA1 hash: d6b4112de47129196711e527d3cd946183c5b104
MD5 hash: a7d048741b41c6b939f9b30cbb7053ba
humanhash: winter-magnesium-skylark-floor
File name:Sample Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:900'096 bytes
First seen:2020-11-05 10:08:10 UTC
Last seen:2020-11-05 11:51:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:ZWmGssPt4pAUyfz8vzIUw9MFl5BS8vtm+7ZBtsf:Essl4eUEz8vzflJF5ZBtw
Threatray 974 similar samples on MalwareBazaar
TLSH 4815BFFA6242EA6BC40F043FF84B256193D9DF2D99F8914687C5B11913BC7CE52AC48B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: localhost.localdomain
Sending IP: 203.252.144.159
From: sunaree.pon@richmilbon.co.th<sunaree.pon@me.net>
Subject: Re: Sample Order Request.
Attachment: Sample Order.zip (contains "Sample Order.exe")

AgentTesla SMTP exfil server:
smtpauth.earthlink.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83200/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42665.18871.11799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521271
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309745 Sample: Sample Order.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 61 smtpauth.earthlink.net 2->61 63 nagano-19599.herokussl.com 2->63 65 2 other IPs or domains 2->65 75 Found malware configuration 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 13 other signatures 2->81 8 Sample Order.exe 6 2->8         started        11 MfMrl.exe 5 2->11         started        14 MfMrl.exe 2->14         started        signatures3 process4 file5 47 C:\Users\user\AppData\Roaming\AbzrTinpd.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmp60F1.tmp, XML 8->49 dropped 51 C:\Users\user\...\Sample Order.exe.log, ASCII 8->51 dropped 16 Sample Order.exe 17 9 8->16         started        21 schtasks.exe 1 8->21         started        23 Sample Order.exe 8->23         started        83 Multi AV Scanner detection for dropped file 11->83 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->85 87 Machine Learning detection for dropped file 11->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->89 25 MfMrl.exe 2 11->25         started        27 schtasks.exe 1 11->27         started        29 schtasks.exe 14->29         started        31 MfMrl.exe 14->31         started        33 MfMrl.exe 14->33         started        35 MfMrl.exe 14->35         started        signatures6 process7 dnsIp8 53 smtpauth.earthlink.net 207.69.189.202, 49730, 49731, 587 WINDSTREAMUS United States 16->53 55 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.142.93, 443, 49729 AMAZON-AESUS United States 16->55 59 2 other IPs or domains 16->59 43 C:\Users\user\AppData\Roaming\...\MfMrl.exe, PE32 16->43 dropped 45 C:\Users\user\...\MfMrl.exe:Zone.Identifier, ASCII 16->45 dropped 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->67 69 Tries to steal Mail credentials (via file access) 16->69 71 Tries to harvest and steal ftp login credentials 16->71 73 3 other signatures 16->73 37 conhost.exe 21->37         started        57 192.168.2.1 unknown unknown 25->57 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd902536f41381af747346fb45f79e16204c8463418570f5681d9788777c5e76/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 20:28:42 UTC
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwicknxucoa265dti35ul546cyqezbddigcxb5lidwlyq534lz3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08f9ff6bbe01d3fab54974c872fbdf2f8fa1fd1f32649c776f0626030169272c
AgentTesla
3a5b1c9c7e10e40551f26dafe302f056f86ce6c6c138a96b0b79389a095b7fca
AgentTesla
3b8067fda3a018631e93bcc5e5ab73c56adc91c4964c45c092d42f2cc9acea6e
AgentTesla
723ec630211ca5a3268bd62e03caeec38b40e5d33c0e80908fec14332f006988
AgentTesla
73884bc59571b3c7199849dcdfb8330b57435a822c320d1913eb990db842fbbf
AgentTesla
8bad16db1bd40fbc6e6fa8a9a9efd9f3bf8e95dd83af238625ee3f1f1ff1950c
AgentTesla
9efe8cef3127a10a3c0ee380a77298650e7a54e9e785d86f9871c00c2ad62bdf
AgentTesla
d5fa02045d60d623dacb74b1a719e571982f6a68ea7781c06f8d0ce104b98bd6
AgentTesla
ee126cf35bbdcf2b2e8bbff8f27371910f9037799d4a3f5dbba16e5dc39797e7
AgentTesla
f8bdfc90ffcf3990e7abacaccf1b927c0b51dd2b70cc96deda4d4841f17b2bcc
AgentTesla
+ 964 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201105-xjg1gzeavj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
bd902536f41381af747346fb45f79e16204c8463418570f5681d9788777c5e76
MD5 hash:
a7d048741b41c6b939f9b30cbb7053ba
SHA1 hash:
d6b4112de47129196711e527d3cd946183c5b104
Link:
https://www.unpac.me/results/f3293868-4c77-41af-ab99-d23d8989ef3c/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/f3293868-4c77-41af-ab99-d23d8989ef3c/
SH256 hash:
ac60d180bba049490c7f2e0c9b902ea9d79362037bdec6d26be5977b874a498f
MD5 hash:
da0fa1a6629e3a149e064b7fbb552d6a
SHA1 hash:
55a28ab3f4a10aee822e7e4e18498b263650dd8a
Link:
https://www.unpac.me/results/f3293868-4c77-41af-ab99-d23d8989ef3c/
SH256 hash:
b9bbdd631d549e56100805e0b7288e99830c7ad8b71fe9b0865f1d0ac26c0c03
MD5 hash:
ac40f1a425488e1c23326f237dc1c77a
SHA1 hash:
651ad64b077eb75851a4bb8575b6e12a772ad614
Link:
https://www.unpac.me/results/f3293868-4c77-41af-ab99-d23d8989ef3c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1b102eec80b48c5d7609a6dcd576ddbcf6763ab587c6153f2971b3c75c9da5f6

AgentTesla

Executable exe bd902536f41381af747346fb45f79e16204c8463418570f5681d9788777c5e76

(this sample)

  
Dropped by
MD5 421ac3e014a5af7cbadbeecedb34f36f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83200/
  
Dropped by
SHA256 1b102eec80b48c5d7609a6dcd576ddbcf6763ab587c6153f2971b3c75c9da5f6

Comments