MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d71e111e12643f8c35292b4b2f02f45935f76acba96d2f0d66f55bb752955644. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d71e111e12643f8c35292b4b2f02f45935f76acba96d2f0d66f55bb752955644
SHA3-384 hash: f9c5b64835f532d6ea7063b7b61f18896fb624082ae107078b62773dc576c4d145288b32729fe8782f6703c6059ecbf3
SHA1 hash: a618f8f612b3803639992611eb4022bee6c8abbd
MD5 hash: 0bd6c0aa0f95699cd31fae0ec2827c92
humanhash: alaska-yankee-maryland-oxygen
File name:Purchase Order32002068.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:480'256 bytes
First seen:2020-11-07 10:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 34ec234718f5f3a61f897452f4780c35 (2 x AgentTesla, 2 x Formbook, 2 x MassLogger)
ssdeep 12288:ckO+R2G1Ph73Dl5AJ/gWNX291E7k8QBK9Tikg6ryyTBoO:PZ2Gr7RGE1W3Q895dloO
Threatray 99 similar samples on MalwareBazaar
TLSH 1FA4F1357482C0B7C0B3183504B4D6B29E2DF9301FA5999F73D9133A6F746D1862ABAB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: slot0.aero-cabln.com
Sending IP: 23.254.226.78
From: Almanza, Alejandra<sales6@aero-cabln.com>
Subject: Purchase Order RefNo 5032002068
Attachment: Purchase Order32002068.7z (contains "Purchase Order32002068.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523818
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d71e111e12643f8c35292b4b2f02f45935f76acba96d2f0d66f55bb752955644/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 21:56:18 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=24pbchqsmq7yynjjfnfs6axule27o2wlvfws6dlg6vn3ouuvkzca._file
Verdict:
unknown
Similar samples:
3964255c6edcc775158338c29c12a374eef6b3bad5d1b05641a7c92efb8873de
AgentTesla
60d7a9feec05511bd20c144fd23ad438d80b673487ebe45d857906c054c82ca0
AgentTesla
74fe23fdb7b12b785e1e6db24dba0536deec51ddac1edbd53a0211b68672628b
AgentTesla
8524c16356ec2511b2623d04902d772836d3460de10f2dca77a8930a92703eae
AgentTesla
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
AgentTesla
ae1030f0ff069ac50dea9f299186507db2223f47fc51d1952c92d4709ba56190
AgentTesla
af09dc4e1c03370d83596aa180b581541bea551c00e731dbb05229525389036e
AgentTesla
c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
AgentTesla
c7c88d2b99c205b8d310216099451f4fe847f226ef392ddb6447ef5bb28be8a0
AgentTesla
ca20e6d6fc14a5a1b07747c95d04fa6fa593fbeda1be5b0eb84495d60fc59e01
AgentTesla
+ 89 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201107-4q7l2sa8pn/
Unpacked files
SH256 hash:
db220a1b75ba316bef4ab0adb9e1dca647af4a4f5b7d6158f84fed51d0902879
MD5 hash:
291d9ea66ce03c78cbffd4c33853164c
SHA1 hash:
2cec47f7f5a3fea45bc78cdab1720b496dfdf3d8
Link:
https://www.unpac.me/results/df9d569e-6d29-4f50-bd88-01c7c64121d6/
SH256 hash:
d71e111e12643f8c35292b4b2f02f45935f76acba96d2f0d66f55bb752955644
MD5 hash:
0bd6c0aa0f95699cd31fae0ec2827c92
SHA1 hash:
a618f8f612b3803639992611eb4022bee6c8abbd
Link:
https://www.unpac.me/results/df9d569e-6d29-4f50-bd88-01c7c64121d6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:Embedded_PE
Create hunting rule
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 21fdd6fadbe362fd034900841aaade0613d7f15573f03313ad29645472780837

AgentTesla

Executable exe d71e111e12643f8c35292b4b2f02f45935f76acba96d2f0d66f55bb752955644

(this sample)

  
Dropped by
MD5 686293552b8e1b21771874c2ec477abc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 21fdd6fadbe362fd034900841aaade0613d7f15573f03313ad29645472780837

Comments