MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d55011272b280ef3806dc8ea48a9e60780d6afbcd1a296f482fa2860164b790b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d55011272b280ef3806dc8ea48a9e60780d6afbcd1a296f482fa2860164b790b
SHA3-384 hash: d090071c7ba0d79bea6484bde02dc1114723a04c561e3138bddcafdf2072afbfced7677b86c239e0524f1f3510890831
SHA1 hash: db8a63cc1caec420208f95d173803fecd2910a10
MD5 hash: 6b1e07b79a69d0f89c93d6955b93b19e
humanhash: fourteen-south-glucose-carbon
File name:Shipment Document BL-INV and Packing List Attached.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:876'544 bytes
First seen:2022-01-25 14:43:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:xCT4FTKSWC10NvKJ5sN4ojpkro8/FtXNCc9emk/QGoslFJoiN9v3ZYS:k+TzTs6boVkrDjQc9emkIjiFJoQ9h
Threatray 14'299 similar samples on MalwareBazaar
TLSH T18115F127766EDA31C62803BA40EF811903787F55DA63D30A7EC9379E0B127875E485AF
File icon (PE):PE icon
dhash icon 136d455d6d4d550b (25 x AgentTesla, 9 x Formbook, 5 x Loki)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment Document BL-INV and Packing List Attached.exe
Verdict:
Malicious activity
Analysis date:
2022-01-25 15:06:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/48dead17-0960-4e6e-9665-fdd0c2285521

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222535/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/61f00cb80f8c757253e7e1b7/reports/1abae573-13ea-4551-9d4c-1190535dc95e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1158bed5-99ee-44f0-94ed-a789a60219ce
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927219
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d55011272b280ef3806dc8ea48a9e60780d6afbcd1a296f482fa2860164b790b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 14:35:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vibcjzlfahphadnzdverkpga6annl542grjn5ec7iugafslpefq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
4d569622d088800b4545c0079d1406801aad0d685e1647a426a7e2f99a5e144a
AgentTesla
613d9fd936ee8220f24dc0e435bba895782a722a2035482acc5bedb9c2e84f10
AgentTesla
62b54609bea9a6af4f71daa41bfaeb75235f662d608480020257a9eba7255dd4
AgentTesla
6f871f3642191d04e4fe20f022f738d89b3ad90b531cef6adde91d10f257431d
AgentTesla
75c011f9b3573845b4a39599d433530ee9915ad39c443a299f142b919df1ee82
AgentTesla
7fb4a26d9f2c3a08c69d7f5838b7f88d8c6f31ab2aa69b130b150449baaea7ad
AgentTesla
b5f0e20f9980ba833f56a6bbe1e0e3deea46e566c0eab83a473c4705e2b295d6
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca
AgentTesla
+ 14'289 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220125-r36bvshbep/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
833fce36b7952995c62477ac33da40bb48f2848c41edd4bd44007ebca371921c
MD5 hash:
5753994cc3cbafea2c86c283e93d2b41
SHA1 hash:
c29b788da5ada00c00aa1e71f99c3fe3987f5722
Link:
https://www.unpac.me/results/d5d54f5c-827d-49c5-b066-8ee2dda070f2/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/d5d54f5c-827d-49c5-b066-8ee2dda070f2/
SH256 hash:
c302a7ef73299b3b6b2c4978f608168ae2cbe309a5bd10dfabdc2e1caef1240f
MD5 hash:
c2ba73f6ae751f81bf25a8eee3119c11
SHA1 hash:
3c5ee1e0b782989e66b808846a12a7aecfc593ab
Link:
https://www.unpac.me/results/d5d54f5c-827d-49c5-b066-8ee2dda070f2/
SH256 hash:
d55011272b280ef3806dc8ea48a9e60780d6afbcd1a296f482fa2860164b790b
MD5 hash:
6b1e07b79a69d0f89c93d6955b93b19e
SHA1 hash:
db8a63cc1caec420208f95d173803fecd2910a10
Link:
https://www.unpac.me/results/d5d54f5c-827d-49c5-b066-8ee2dda070f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d55011272b280ef3806dc8ea48a9e60780d6afbcd1a296f482fa2860164b790b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1991760/
Cape
Cape
https://www.capesandbox.com/analysis/222535/

Comments