MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e
SHA3-384 hash: 00026e35729c228dcc34d039a65ed3d0fd9987cd6cf6be1f67c232e873f1ded9f49574c541519190872d159a643380b8
SHA1 hash: b027a5fc61dcaa0adb8e2fcc9129fcca7f28c670
MD5 hash: 4c5ec62b048ea1ef463ec7e5015b8ca7
humanhash: carpet-lion-rugby-india
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:629'248 bytes
First seen:2020-10-12 05:57:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:BMAcFvchcaw+dZ6SGFBcYiYEG3OCr+TgGbxSBtmR:qFvcfwkcTFBcYv36MGtqtO
Threatray 449 similar samples on MalwareBazaar
TLSH AAD4023527094E2BC67D1479A9BA514653F1E2923FC2FB1B7DD1319829A23820B137FB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: aol.com
Sending IP: 209.58.149.90
From: ADG SUPPLY-USA<quicksupplies@aol.com>
Reply-To: purchasemd@yandex.com
Subject: FIND ATTACHED RECIETE
Attachment: PURCHASE ORDER.rar (contains "PURCHASE ORDER.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69922/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/487954
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296425 Sample: PURCHASE ORDER.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 88 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected AgentTesla 2->21 23 Yara detected AntiVM_3 2->23 25 3 other signatures 2->25 7 PURCHASE ORDER.exe 3 2->7         started        process3 file4 17 C:\Users\user\...\PURCHASE ORDER.exe.log, ASCII 7->17 dropped 27 Writes to foreign memory regions 7->27 29 Allocates memory in foreign processes 7->29 31 Injects a PE file into a foreign processes 7->31 11 RegSvcs.exe 2 7->11         started        13 RegSvcs.exe 7->13         started        signatures5 process6 process7 15 dw20.exe 22 6 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 00:06:41 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2oy3ahmi5e43lnci7porxgqeeuf64dcgvyjx3uwmzq2u32u2cv7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0958b7f6561a4a4a41b051dfdabdb73e874f9656b01039fce8412abe96d98067
AgentTesla
1aa81765895e9174878d9b0be9c15918062793b54f03ed6b088cf47dbcf2570b
AgentTesla
21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2
AgentTesla
286b00dda63a28a1d22aae31f1622b04700207b92ab0f033e8885fb55eaa3e86
AgentTesla
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
AgentTesla
727e1f0aabc7d8fb68f756541bd8797dd810c2b3ab684ae6e53732e461425f20
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f
AgentTesla
ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537
AgentTesla
+ 439 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201012-kh65jw654n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e
MD5 hash:
4c5ec62b048ea1ef463ec7e5015b8ca7
SHA1 hash:
b027a5fc61dcaa0adb8e2fcc9129fcca7f28c670
Link:
https://www.unpac.me/results/088a4d73-6de4-4c9b-af83-c26c6ae23453/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/088a4d73-6de4-4c9b-af83-c26c6ae23453/
SH256 hash:
acab412ea2fe5b676d6eba65b71e56d3263e32cd137f0e13b97ae222e2c08993
MD5 hash:
aeaef5ad252c47eeb571a9a96d018e1c
SHA1 hash:
47a192e6329c197912acdc6bf23923be591249cc
Link:
https://www.unpac.me/results/088a4d73-6de4-4c9b-af83-c26c6ae23453/
SH256 hash:
beb68cced148eaf02d40dae99d0e7ccd3df81fbfba9c48843b0b7e7081fbb77f
MD5 hash:
4265579a37c383db1d9ef74b3ca54194
SHA1 hash:
84c14e03a354e41d134ab3f0f6f017edbce49a50
Link:
https://www.unpac.me/results/088a4d73-6de4-4c9b-af83-c26c6ae23453/
SH256 hash:
b905308a43bb5d41b04f812e38084fe2884d281082b061566c2ae45b685ed241
MD5 hash:
43764cbed874115ee4075be2bc38614e
SHA1 hash:
95483838143999177de9025f38d294c75d49dfb1
Link:
https://www.unpac.me/results/088a4d73-6de4-4c9b-af83-c26c6ae23453/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 781944533aabbf0fa90eb7a9e638bdfdf9930f7e4d234ddfab3baaea65469879

AgentTesla

Executable exe d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e

(this sample)

  
Dropped by
MD5 858ad439b0d4d6167d1a3443774d7d42
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69922/
  
Dropped by
SHA256 781944533aabbf0fa90eb7a9e638bdfdf9930f7e4d234ddfab3baaea65469879

Comments