MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3
SHA3-384 hash: 3315181a71b952d9730223b36f724afc4a65f1e6a13d9960d1d438e6d66471f0c91a4ac69cbf38d153e44b98b72a7dbb
SHA1 hash: f5bcfc3e8cca744b6d0ac9c33bf4f570e58d5a15
MD5 hash: 801d1a2dc957b062044c7a51db52b41b
humanhash: dakota-texas-nevada-eleven
File name:EFL_Statements_06April2021.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:29'184 bytes
First seen:2021-04-06 08:19:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:dviqzxJ2EuBHFLEF7HgcklJO+kk0IaoZUZ+4lB4SXSHYSXKo7Req:7tJTILNZlYMSPCHnGq
Threatray 3'817 similar samples on MalwareBazaar
TLSH EED2A624A5CAE96CDC50DB750C71F2C359AEFB48519EE13E27CD1A1F3C5BA2A04027B6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps23930.inmotionhosting.com
Sending IP: 192.249.126.31
From: EFL Billing <eflbills@efl.com.fj>
Subject: Your EFL Statement
Attachment: EFL_Statements_06April2021.pdf.iso (contains "EFL_Statements_06April2021.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EFL_Statements_06April2021.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 08:51:05 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/5774e01a-cf74-404b-9e8e-e5823e67fedc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132626/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.8252.32310.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f48dbd6-4198-4a6e-b84d-d971ffe32d62
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
0 / 100
Link:
https://www.joesandbox.com/analysis/667328
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fgk2o62k4e2qd5d5sceb5n7cnnrpxfx6nsods736abual3u5xbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00012e2de7a1a2dcc2f2d0fbecd6158ac2a2b2804088cf2ea03ce59931b4aa09
AgentTesla
1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12
AgentTesla
174d9ba2e89f897d84a612d59117d349773c91f129aa8cdb8ad8a29d576fa8af
AgentTesla
1b7afa2a07f65c2cb04454ba72f066bdc4daf640ad3b75cfac5fe82eed6c2c76
AgentTesla
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AgentTesla
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
AgentTesla
4dde8ce9768e8239201fd508ec359f26c1703ebcdf4147c5503b303bacecd727
AgentTesla
5242c4552e512707dbeb3b004cb441cc140b6cfe813a4d6532f4adec03bcb23c
AgentTesla
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AgentTesla
c73b434afd1074cd367b181cedd3cb55e69bb5d12594c3d2101d0b87c56e1013
AgentTesla
+ 3'807 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210406-7k7vxnf3mx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3
MD5 hash:
801d1a2dc957b062044c7a51db52b41b
SHA1 hash:
f5bcfc3e8cca744b6d0ac9c33bf4f570e58d5a15
Link:
https://www.unpac.me/results/c044a86d-8450-4adf-9e45-98b5ad851713/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 0541399ca4108dcdb70a95528bf00ae6a679a2837685997e6508d0790e427f9c

AgentTesla

Executable exe d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3

(this sample)

  
Dropped by
MD5 ab1b570a2cf27e1a344a8f1631cc5c29
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132626/
  
Dropped by
SHA256 0541399ca4108dcdb70a95528bf00ae6a679a2837685997e6508d0790e427f9c

Comments