MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c
SHA3-384 hash: 342f55843a678bccd29b1e4e29f73cdf895f7d9df27950e35f8f211094953e49250b895444f28f117d631a116c8a46d2
SHA1 hash: 900dab43ae7e38cc1a8237c3fa49d132b5ee9e1c
MD5 hash: 9a826012bc1ec72b59c773d3c5093c11
humanhash: spaghetti-sad-montana-kentucky
File name:invoice 2021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:704'512 bytes
First seen:2021-01-15 06:26:04 UTC
Last seen:2021-01-15 06:29:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:CV5asEf+uiKaJ67fnwJLO88YIF1sV+FOCowPmUrKR80LV:CV5ef+X6DnmT8UV5CFLe/V
Threatray 2'157 similar samples on MalwareBazaar
TLSH 63E4220426ED9F0ACD7E5BF96BE0091517B1683A7A77F32C4D96A4DF2892B14C701B23
Reporter cocaman
Tags:AgentTesla exe


Avatar
cocaman
Malicious email (T1566.001)
From: "MAK Trading<import@atg-glovesolutions.com>" (likely spoofed)
Received: "from atg-glovesolutions.com (unknown [103.145.252.28]) "
Date: "14 Jan 2021 20:34:11 -0800"
Subject: "Proforma Invoice"
Attachment: "invoice 2021.exe"

Intelligence

File Origin
# of uploads :
4
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice 2021.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-15 06:29:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40a5f71a-e7f9-43d3-a52e-c92a4776d067

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114519/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582285
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 05:20:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2anpq7yqcy6konijffc4lpehcccw52attgqvxynb2aah6cq6cz6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b467c02c56a9130e3fb9e62e0ee62aa6b950845c9858f95656e659b814699c3
AgentTesla
2e525c09344f83f1f77d92e492a3fe75158e5424dcc22be92a45870168275879
AgentTesla
3622005ae3bfc501cdba1551166885af68fbdf4deb6b780880e8b1e71e8f3cf5
AgentTesla
49c4ccb66851d9f01f95a8c8d0b68110e8e66bfb36cdecc5637de97ab8c08082
AgentTesla
5128bb068a8ab072f70e24e50edbb76198f9ed7859534505cf62c067bb1221de
AgentTesla
566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
AgentTesla
9f4258e5c61e45d8cedece680a26b83be12413727685afdf469bc91727751a8c
AgentTesla
a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
AgentTesla
a982ada2d2ac5c1f57a98aeb33fb4cb64cf90f04aabba376c675f5a7a086fd60
AgentTesla
e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7
AgentTesla
+ 2'147 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210115-a9d6dhkcy6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
15c3e0c9b8278d98fa10cfb57b6097a86839b31033abac4448cd124ea42eabbf
MD5 hash:
6a992a791f789f17e00a20fc5921de9f
SHA1 hash:
df5a53fbd238bc3fde661c04f9a960ef81736588
Link:
https://www.unpac.me/results/1e970a36-0d73-42a6-80ab-660856d5d437/
SH256 hash:
c0cb0709dbdb91718fd5f8984d4239010b6b0637970d7d09facedbce01f1338b
MD5 hash:
958a7021c54675cbdcfc62223e8603fe
SHA1 hash:
9ef0fdd112a1b5dfebc8e13faf11e54f465b1c15
Link:
https://www.unpac.me/results/1e970a36-0d73-42a6-80ab-660856d5d437/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/1e970a36-0d73-42a6-80ab-660856d5d437/
SH256 hash:
d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c
MD5 hash:
9a826012bc1ec72b59c773d3c5093c11
SHA1 hash:
900dab43ae7e38cc1a8237c3fa49d132b5ee9e1c
Link:
https://www.unpac.me/results/1e970a36-0d73-42a6-80ab-660856d5d437/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d01af87f10163ca735092945c5bc8710856ee81399a15be1a1d0007f0a1e167c

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
AgentTesla
Cape
Cape
https://www.capesandbox.com/analysis/114519/

Comments