MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d67be2031b0c85b8b9e3a75e22918001424f13fae04f909ebcc5b36456401cb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d67be2031b0c85b8b9e3a75e22918001424f13fae04f909ebcc5b36456401cb6
SHA3-384 hash: 26fde727165648823316980a3dcd0dfd1c0f9722415d12763fe43b3b2f63c3606a418f6354c7715e1fc8b3add347ce6d
SHA1 hash: 9734bb87c3d4b0fb0b88f35a32ca5ddebdd53381
MD5 hash: d38a11d0ff64bcbafe1e584af15393cf
humanhash: iowa-monkey-finch-batman
File name:order confirmation nr. AB-1006779.pdf..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:625'152 bytes
First seen:2020-10-21 12:49:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tEzNgcJfiZIrHenROZuV2F+71EN3utGC+A7TXeyEBgyLz9:kgcJOsA2F+xElw+KTXeym/
Threatray 701 similar samples on MalwareBazaar
TLSH EDD4E062F3449D96F41F077D88B2A4001373EB669727D74E29DA327949B335201ABE8B
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74132/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505828
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301967 Sample: order confirmation nr. AB-1... Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for dropped file 2->37 39 Sigma detected: Scheduled temp file as task from temp location 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 12 other signatures 2->43 7 order confirmation nr. AB-1006779.pdf..exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\qVWoSh.exe, PE32 7->23 dropped 25 C:\Users\user\...\qVWoSh.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp3F33.tmp, XML 7->27 dropped 29 order confirmation...006779.pdf..exe.log, ASCII 7->29 dropped 45 Injects a PE file into a foreign processes 7->45 11 order confirmation nr. AB-1006779.pdf..exe 15 8 7->11         started        15 schtasks.exe 1 7->15         started        17 order confirmation nr. AB-1006779.pdf..exe 7->17         started        19 order confirmation nr. AB-1006779.pdf..exe 7->19         started        signatures5 process6 dnsIp7 31 mindmade.co.in 96.127.138.234, 443, 49750, 49756 SINGLEHOP-LLCUS United States 11->31 33 elb097307-934924932.us-east-1.elb.amazonaws.com 54.204.14.42, 443, 49757 AMAZON-AESUS United States 11->33 35 3 other IPs or domains 11->35 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 2 other signatures 11->53 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d67be2031b0c85b8b9e3a75e22918001424f13fae04f909ebcc5b36456401cb6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 11:16:45 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2z56eay3bsc3ropdu5pcfemaafbe6e724bhzbhv4ywzwivsads3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2aacadb62ad9f77d131d8d40390bbf4a6ef8d0f2635b38bacdb7ea438369c289
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
3bbc420e96825537d8483d080f9918b4d8303aff054b1cd94126ff67fa0526b7
AgentTesla
3f1d00cc832bad31567399df69c06c23dbdc989e18178efc599ca6574d190e34
AgentTesla
699d6b825f4e477e4d9890f7c5d69ef6d157836a680e1427ebbedc6084a5ce9b
AgentTesla
6d8bc551e62f2ce010d9f9ef86ac15d9c86138729ff7d26beb3ef8b6b1fc6aed
AgentTesla
7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6
AgentTesla
a183a94f7c049de1770e76be272a29e0ec7b3b4344ef5c4dc2fe9ddd5962b5bd
AgentTesla
be6d4618333f5bca53591236f870ab7d368843e7b32b3333d97a4a72d920559a
AgentTesla
e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42
AgentTesla
+ 691 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201021-2rb7rx7mxn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d67be2031b0c85b8b9e3a75e22918001424f13fae04f909ebcc5b36456401cb6
MD5 hash:
d38a11d0ff64bcbafe1e584af15393cf
SHA1 hash:
9734bb87c3d4b0fb0b88f35a32ca5ddebdd53381
Link:
https://www.unpac.me/results/67eaaf5c-3992-4676-b085-2cd0b6ab1864/
SH256 hash:
f3ce462cf2a9e5479d67c3aae4ff712fd44718de1a3482eb63223f596035c8fc
MD5 hash:
3fd8a97ccbd0fa6263069a342bb1ddc3
SHA1 hash:
212c2fae272094677c0a77ee8e6212ca00f6c861
Link:
https://www.unpac.me/results/67eaaf5c-3992-4676-b085-2cd0b6ab1864/
SH256 hash:
c995f6380ee87f427b221b87bcb33b40b424807a406acf007428db7b1fd34c30
MD5 hash:
08af1087a21ab6c8fd329bba8514df68
SHA1 hash:
2918073594883ae88e412dea6f8a0ff8f9233ae2
Link:
https://www.unpac.me/results/67eaaf5c-3992-4676-b085-2cd0b6ab1864/
SH256 hash:
2d135b13e02e884e6636a748643c991047d2e183f267870e43c66f0f6e856cf7
MD5 hash:
a2f03b9b4d7f78dd3483b9e5353d42a8
SHA1 hash:
89564ab984a07a25ba6587e37831eb00c0e87a13
Link:
https://www.unpac.me/results/67eaaf5c-3992-4676-b085-2cd0b6ab1864/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/67eaaf5c-3992-4676-b085-2cd0b6ab1864/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d9bafb0fe8ae8f693df7c12735040c54aba6963c081e01e65f3eb6e667d8dfb4

AgentTesla

Executable exe d67be2031b0c85b8b9e3a75e22918001424f13fae04f909ebcc5b36456401cb6

(this sample)

  
Dropped by
MD5 59e9802a312c978964cdae78dd95c09a
  
Dropped by
SHA256 d9bafb0fe8ae8f693df7c12735040c54aba6963c081e01e65f3eb6e667d8dfb4
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74132/

Comments