MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caa1844423cb2047c876df6276fd0e146f08e254897de3c9d51b1c41b3d35f13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	caa1844423cb2047c876df6276fd0e146f08e254897de3c9d51b1c41b3d35f13
SHA3-384 hash:	53656ebc08c8173bb387e295b9d53c38463dde9737bc72dad7a4c24fda99d27330a624ae4bee290f13403f352918854c
SHA1 hash:	dbe6aed4f68d1514d5438108a16a8dc5d3869159
MD5 hash:	3eff566b5c2166aa379533b68afa1d3c
humanhash:	ceiling-montana-avocado-salami
File name:	Purchase Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	540'672 bytes
First seen:	2020-12-03 07:29:58 UTC
Last seen:	2020-12-03 10:26:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e16bf585377a2c04ffc8f29a891831dc (5 x AgentTesla, 1 x Formbook)
ssdeep	12288:3734kMrkzxa527Ui03drcC5KLXQwTaN8888/DL1:3Za5x4+gCN8888v1
Threatray	1'632 similar samples on MalwareBazaar
TLSH	F6B4E109B5808034E8B302B689BE6B15527CFD70476769CBB3C87C1E5A75AD27A31B37
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/106508/

Detection(s):

SecuriteInfo.com.Variant.Graftor.595395.15439.27561.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/554339

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/caa1844423cb2047c876df6276fd0e146f08e254897de3c9d51b1c41b3d35f13/

Threat name:

Win32.Trojan.EmotetAE

Status:

Malicious

First seen:

2020-12-03 02:53:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zkqyirbdzmqepsdw35rhn7iocrxqrysurf66hsovdmoedm6tl4jq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3b38da2795ab7148dabc9e9c5326305725793b0832a8c608f8387f0089914145

AgentTesla

423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b

AgentTesla

4fcb20f32c0c827e9f3977a2874dd0acc7163dedcddf56004e03a38a53d720f9

AgentTesla

87b13e8ecfe5abb89f206f65c0e0676a70bb25533f3af9fd336c1075e7abd174

AgentTesla

89e36f73f667df03dd636f766a9b127c9c0b307fc0ae3149b2d1ff6f34c84b09

AgentTesla

a7df178348dd3563a0a0a44ec82af4b6bc15bf352337ef690fac078cfee6ec49

AgentTesla

c1e775844ae65d163fef7ec92e2d48ab4fd36ec5412999a5cba1c85ef0edd105

AgentTesla

cbc1b2bb407f02710060a11cdd74386337b92597af3d8de8c1d90c33672868ec

AgentTesla

e12243e5bae35e437f9e88665c52d3b5086cc5dab0eb5c682132a288625b023d

AgentTesla

+ 1'622 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201203-fz6bfwn8rn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

caa1844423cb2047c876df6276fd0e146f08e254897de3c9d51b1c41b3d35f13

MD5 hash:

3eff566b5c2166aa379533b68afa1d3c

SHA1 hash:

dbe6aed4f68d1514d5438108a16a8dc5d3869159

Link:

https://www.unpac.me/results/d6869f47-3e7e-4b76-8c28-63928259cefb/

SH256 hash:

d80de89658c401e4cda99334077b5d1d4fb3b20a92bf54df0a87033c4b75c197

MD5 hash:

8171fab0ac4777d2633a39a56b7b013b

SHA1 hash:

b7ffaffbd1e44b36c496c04be1aa5c0f3cfcf591

Link:

https://www.unpac.me/results/d6869f47-3e7e-4b76-8c28-63928259cefb/

SH256 hash:

fb3c80ef8a04692ffa8bd49d20c2a95b9e6085c74029345f3396edf92c77c3ee

MD5 hash:

e61b36952c7905ddbb788d5fc7db5cf3

SHA1 hash:

34ceb326ba927c2b26613a32a66b3f4facf5eb9c

Link:

https://www.unpac.me/results/d6869f47-3e7e-4b76-8c28-63928259cefb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/caa1844423cb2047c876df6276fd0e146f08e254897de3c9d51b1c41b3d35f13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.