MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d453016752922203429aeb69bf3adc098fd2ab61bbb37af7bcd630c99ad48b30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d453016752922203429aeb69bf3adc098fd2ab61bbb37af7bcd630c99ad48b30
SHA3-384 hash: 1cc78876c926fe96a1ce5baae963eeafd5cdcb6261624dc7c1a9377218a4e47ea090cbe6fb287b4f818da60ec93fa607
SHA1 hash: d702e44587fe14525a09cabbbe0c91091740aa6e
MD5 hash: ee4d83b3b9cb5e1f371768ac32242f0d
humanhash: ack-artist-batman-iowa
File name:Shipping Documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'425'408 bytes
First seen:2021-12-06 14:16:51 UTC
Last seen:2021-12-10 12:28:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:GodcL3ZIU+z75BGXP2HHXAwiuvkMDny9GQd7G0O7R:GodcL3ZIxz78ooSTry9cR
Threatray 13'291 similar samples on MalwareBazaar
TLSH T11F657B5C317025AFE83A853145541F779EF12C7D826B93CE731734AB8ABE9428F242E9
File icon (PE):PE icon
dhash icon 86e8c0c8ccd89ce6 (18 x AgentTesla, 18 x Formbook, 8 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Documents.exe
Verdict:
Malicious activity
Analysis date:
2021-12-06 22:27:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9f7b1fc-5a88-4262-81a4-0825a90bdc5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211816/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ae1b614d8e6f3a5e14960b/reports/f72e25aa-ad77-4aa5-87b9-34f33e4749d6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8de75b0e-e8a2-43bf-bd9c-901a3d48f024
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902333
Signature
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d453016752922203429aeb69bf3adc098fd2ab61bbb37af7bcd630c99ad48b30/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 10:56:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rjqcz2ssiragqu25nu36ow4bgh5fk3bxozxv5542yymtgwurmya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c4cbe5a3adfa0a596eabff32c6a43fe2f5fc2be1dcf71bddbd0c1200d7451a8
AgentTesla
1cd1eacc5fd5d45b5059d2542e5a304a378af59a70335f562b0611e9659acbac
AgentTesla
4605f50cd6012c2b58170aedcdb4da09f18d2072ec76a3f5af4a4e79f5b5c1e0
AgentTesla
8ee66437262784d5fc5dcfa68d751bf0425e99fbeff67c8f01572f9404cee6f1
AgentTesla
9509214ef8fd1704c88aebdd75cf26345735cf6901af44de6038dce4e4d46f34
AgentTesla
a96249e0df2c88e2e047ad332ba7d2755dd6f390d39afc67de05ddfa8726e53f
AgentTesla
b501cf5c16de173d95ee0b491d5a5a7ab5a32135f60a669643aec169e6fd6a44
AgentTesla
da1621ccdb3714c1fda08f6e783ff18962e4803fff14b3095d3e260c26642648
AgentTesla
df5e40d1e917f0bd4c424f65c8e2557d094f5eff22b4ba6f63f093333ebbb8a9
AgentTesla
+ 13'281 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211206-rlpyjshbc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1eba3e6e55f4aa87ee88dad11183f808f00870bf6277e3ae19fb31400a1dbe5b
MD5 hash:
00b620728472aef2af115e0455930cf8
SHA1 hash:
649a4ad0f13a3176ea36b855c1b36fbce246446a
Link:
https://www.unpac.me/results/5a5ce866-786e-4094-bceb-dacc77ded7c7/
SH256 hash:
a39f4ebc3c842eb681eea54f813b3b4089fb7889a3e493b0f89d28736dd0e71d
MD5 hash:
04e56d70431e528664c4e0be2b62b3f5
SHA1 hash:
4f6a46b2ab5f8b5bb08fa08d735edab3ca7f462e
Link:
https://www.unpac.me/results/5a5ce866-786e-4094-bceb-dacc77ded7c7/
SH256 hash:
d43543ea242e179268217be3667849e979049228cdcaea8294a0015bbf836db4
MD5 hash:
dafa2375c7264a37937d40452bce605b
SHA1 hash:
0aa52330e260040bb656010b0f151c5a8fbf1fed
Link:
https://www.unpac.me/results/5a5ce866-786e-4094-bceb-dacc77ded7c7/
SH256 hash:
d453016752922203429aeb69bf3adc098fd2ab61bbb37af7bcd630c99ad48b30
MD5 hash:
ee4d83b3b9cb5e1f371768ac32242f0d
SHA1 hash:
d702e44587fe14525a09cabbbe0c91091740aa6e
Link:
https://www.unpac.me/results/5a5ce866-786e-4094-bceb-dacc77ded7c7/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d45301675292/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d453016752922203429aeb69bf3adc098fd2ab61bbb37af7bcd630c99ad48b30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d453016752922203429aeb69bf3adc098fd2ab61bbb37af7bcd630c99ad48b30

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/211816/

Comments