MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d85fd5138d13af3d313c3b2b9b3d5379b2d1a38e602ceb191c02d347d1bc3855. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	d85fd5138d13af3d313c3b2b9b3d5379b2d1a38e602ceb191c02d347d1bc3855
SHA3-384 hash:	0b791f0e9168e17f188c63619323230a150bb06203cf0bf89de027ebdd82c09e49e1ea65384555bc5cb24267288fe1b1
SHA1 hash:	23a2a0ced112685e15bf9bcad79ff8433771a106
MD5 hash:	c5bba39ad35dbd340cb1c8420993569a
humanhash:	fourteen-monkey-virginia-mike
File name:	Purchase Order 10084-NA-2ND REMINDER.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	566'272 bytes
First seen:	2020-08-19 13:04:33 UTC
Last seen:	2020-08-19 13:45:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:oaban7qCQw0NPfYhld0v7FXhn91vSRrmQ:oOaGCQ9PKd0v7FXRSRa
Threatray	10'608 similar samples on MalwareBazaar
TLSH	EDC4120623C8DB2AE93EABBE4026351413FB9126D361EB1FFF85509D0927F91C796B11
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: lhost3.adeox.net
Sending IP: 213.142.130.18
From: Mr.Thongchai Upachit (Ter) <Thongchai@tkd.co.th>
Subject: Purchase Order #10084-NA-2ND REMINDER
Attachment: Purchase Order 10084-NA-2ND REMINDER.exe

Intelligence

File Origin

# of uploads :

2

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/48539/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.19341.7047.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/438092

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d85fd5138d13af3d313c3b2b9b3d5379b2d1a38e602ceb191c02d347d1bc3855/

Threat name:

ByteCode-MSIL.Ransomware.TeslaCrypt

Status:

Malicious

First seen:

2020-08-19 00:22:14 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3bp5ke4ncoxt2mj4hmvzwpktpgzndi4omawowgi4aljupun4hbkq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

04a9ddb426b6bc9febd1f0fdf436cde01976a37b8c99fbbabbd0076ac4a0be92

22a1fa0244b13dcbce7f57bf490cddfa7294570c35399fee154b0fe8205e4734

50946bb2be1a9fb71dfd068710893588bfcbeacdf2cde3e0270c2f6487594a99

77682fb2cd5b31c9c8f45afa66b50e52f0f55e37a66bd6efe0ebdf10fb52b5e0

9bdaa1fcc1ff472dd41dadc7e01f9fa8d21adbb34a0576debe64e1ed7bec7e7e

a7ec6dfb09d3866bdfe3a1306182ad995f309029828f9e1de99bb7f658cacb64

a88a46932f47eec272474435c082a4bc552a13e41dee13ae9c140f20d119fc40

c2a1a51f1cbad62d824bab3c43410885fdbbfef0cc2eb82b7c2522aed149d17c

e1ee883706a9a38147182dfb3769ef61d4cc3237d962e246849766b79e14754a

fc87f06a5699c35bd0fd808b51c0b0558f112e5bb0158d7553a07456d3cd4ffc

+ 10'598 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer trojan spyware family:agenttesla

Link:

https://tria.ge/reports/200819-wmph8ybj4n/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d85fd5138d13af3d313c3b2b9b3d5379b2d1a38e602ceb191c02d347d1bc3855

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe d85fd5138d13af3d313c3b2b9b3d5379b2d1a38e602ceb191c02d347d1bc3855

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/48539/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample