MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576
SHA3-384 hash: 2149f771271de510190ecbf5d4ac73f918f89fc2445def18c5acc8ccb7b4111c27fd09707380fbba3ea62090ffed2797
SHA1 hash: 9dc86f0ca949e97dfb17ac4d900ea3868232071b
MD5 hash: e57872f6ecc49fbdb794a16d8f9534f1
humanhash: cup-batman-pip-east
File name:Order 01001O02.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:808'448 bytes
First seen:2020-10-12 07:33:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:jgOLVd6teFtX4wkRjumO+ZubXgZFIcCUuMrpUIJugIi6vj2:VLTtFN4wkR6n+WXgZucCKFDJqy
Threatray 471 similar samples on MalwareBazaar
TLSH 9C05E16133E99B96E17E8BF91224215043F53E1B396EF61C2CC229EF1975F808611FA7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: aerial-properties.com
Sending IP: 96.125.165.96
From: Pablo Silvage <sales.bigfzabric@gmail.com>
Subject: Order 01001O02
Attachment: Order 01001O02.zip (contains "Order 01001O02.exe")

AgentTesla SMTP exfil server:
webmail.eurosets.pw:587

AgentTesla SMTP exfil email address:
euro@eurosets.pw

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69990/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488125
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296521 Sample: Order 01001O02.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for dropped file 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 10 other signatures 2->47 7 Order 01001O02.exe 6 2->7         started        11 MUdNfPL.exe 5 2->11         started        13 MUdNfPL.exe 2 2->13         started        process3 file4 29 C:\Users\user\AppData\...\bOGsotTCwAH.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpFF2D.tmp, XML 7->31 dropped 33 C:\Users\user\...\Order 01001O02.exe.log, ASCII 7->33 dropped 49 Injects a PE file into a foreign processes 7->49 15 Order 01001O02.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        51 Multi AV Scanner detection for dropped file 11->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->53 55 Machine Learning detection for dropped file 11->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->57 21 schtasks.exe 11->21         started        23 MUdNfPL.exe 11->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\MUdNfPL.exe, PE32 15->35 dropped 37 C:\Users\user\...\MUdNfPL.exe:Zone.Identifier, ASCII 15->37 dropped 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576/
Threat name:
ByteCode-MSIL.Backdoor.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 07:35:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3njzv2jw2y5a7a2acv6nnlyhy3z72fftkr4z3nqzm5tzbfoxqv3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24d32404b88210f6f5cb58362bc6122c7f7545ee8b792c075df1b0069a4f10d5
AgentTesla
264ad4ce9b883fe3ff074ec43f796c1a496da7647bad4bd70c3c905b2dc22711
AgentTesla
36f888cfcc5ca73bed330401ff231b38012baad656797b803d51157ee2252177
AgentTesla
42a35c010a543435698dcb69c82b5388e4b91727ee147b9acc60679f4ea1626c
AgentTesla
4951ac0526f553174ab6263d7af02821f01f7563f256ad57ed3f9425693cdc8d
AgentTesla
6564b76eec49b15e7a3f42b48fedca593b48e5f145863dd16ea519b3bcf09e60
AgentTesla
94493ff262c556d80e0cbfd7bb7741003335e4a10f80111b2756499c6cd058f9
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
cec5d45ac266dc0a06c2fba342097f117d35cb931001e9ee873e0183de0e8fbc
AgentTesla
f4468ef3eb4ae6445b097b0200d918ae0e1bba94b8c4c613031e2aab32c9f083
AgentTesla
+ 461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201012-7w3k4wchts/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576
MD5 hash:
e57872f6ecc49fbdb794a16d8f9534f1
SHA1 hash:
9dc86f0ca949e97dfb17ac4d900ea3868232071b
Link:
https://www.unpac.me/results/8791dc8d-f827-4444-9e91-1aed326cd8a9/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/8791dc8d-f827-4444-9e91-1aed326cd8a9/
SH256 hash:
f92e1ba1e6165f672f903484d909ca0966fa96977cef7f97e0d540ebd0ddc018
MD5 hash:
724b04ed3d0ccf457bdc6f2ab45d3a32
SHA1 hash:
b3f1fcd1aa7120aeecc677eb711ca66644e06756
Link:
https://www.unpac.me/results/8791dc8d-f827-4444-9e91-1aed326cd8a9/
SH256 hash:
b9ef1d57a6b2294e82b79fb9e43ea627518196d8a17b668220d5b0f0dfaf7eba
MD5 hash:
26abce6bf87373390aa60ad09c07ed23
SHA1 hash:
dce852f80d1936ec22b6c841615dd3e827dd22ac
Link:
https://www.unpac.me/results/8791dc8d-f827-4444-9e91-1aed326cd8a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 98e2c1550d05f77bc1d485e0bcdb3ac1b703441a395a1b91b40f5daaf01fc507

AgentTesla

Executable exe db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576

(this sample)

  
Dropped by
MD5 a9d192a45e18578b3a8212821525fd84
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69990/
  
Dropped by
SHA256 98e2c1550d05f77bc1d485e0bcdb3ac1b703441a395a1b91b40f5daaf01fc507

Comments