MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbf947a367cfe28cc7e5e33af9d8aa7fe3166d74d787200b1bcce777ac65efcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbf947a367cfe28cc7e5e33af9d8aa7fe3166d74d787200b1bcce777ac65efcf
SHA3-384 hash: f0151973643b0e6b04824cb573c5d44add206dfa5f351522a49db3ee216096c5a3b1a271d8a1bb5419d940155a6cfea6
SHA1 hash: 7a0a462391f53d3421862125b944b1cef9ae988e
MD5 hash: 1a19bb4c028d7943e65587dc94f38ffc
humanhash: ack-avocado-nebraska-pennsylvania
File name:PO CPWPKL-1901088.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:720'896 bytes
First seen:2021-10-08 21:17:02 UTC
Last seen:2021-10-11 06:38:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:wgxRTlOaEQFD6m7kyR3HrHeu0YuizEEwreL:jOaRFHkGHr+u5EE4
TLSH T165E49B650A94B7A2DA6C0FF280492AFDC52E9D7F2A32F1CE9D94300527F3AD67135D42
File icon (PE):PE icon
dhash icon 95e8c49692d4e892 (2 x AgentTesla, 1 x Formbook, 1 x njrat)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
378
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO CPWPKL-1901088.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-08 21:18:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/387098c6-a42a-4f15-a8f6-4f8f2bda8f5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196243/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.MN.15.17317.12832.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6160b550ddf069d1b6a4110d/reports/acae68ac-7391-4720-b397-d12e3397388d/overview
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867314
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499742 Sample: PO CPWPKL-1901088.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 5 other signatures 2->51 6 PO CPWPKL-1901088.exe 3 2->6         started        10 NXLun.exe 2 2->10         started        12 NXLun.exe 1 2->12         started        process3 file4 25 C:\Users\user\...\PO CPWPKL-1901088.exe.log, ASCII 6->25 dropped 53 Writes to foreign memory regions 6->53 55 Allocates memory in foreign processes 6->55 57 Injects a PE file into a foreign processes 6->57 14 RegSvcs.exe 2 4 6->14         started        19 RegSvcs.exe 6->19         started        21 conhost.exe 10->21         started        23 conhost.exe 12->23         started        signatures5 process6 dnsIp7 31 sg2plcpnl0023.prod.sin2.secureserver.net 182.50.132.92, 49829, 587 AS-26496-GO-DADDY-COM-LLCUS Singapore 14->31 27 C:\Users\user\AppData\Roaming\...27XLun.exe, PE32 14->27 dropped 29 C:\Windows\System32\drivers\etc\hosts, ASCII 14->29 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 43 3 other signatures 14->43 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->41 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dbf947a367cfe28cc7e5e33af9d8aa7fe3166d74d787200b1bcce777ac65efcf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 21:17:14 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3p4upi3hz7rizr7f4m5ptwfkp7rrm3lu26dsacy3zttxpldf57hq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b66c77b36e765f63a2e3b4ce5e17ab7ff02001739288b4a6ee17732c183b90f
AgentTesla
16440ddb2c9301aa6a664291f9d89550899f65a704d361f6c7729c0c8172bd76
AgentTesla
2aa2a644cc059d9314a783e295e4c35102ffce374e2bf1b49f8fb8631ffdbb65
AgentTesla
45e4961d7b984c4ec98a0cea3cf264d9e14d4105e56f8b1016e789e6d14879c0
AgentTesla
6766499aa0d71f9a187cabedfc430ed315927daf0c7c889e43f2e3d2354935e6
AgentTesla
710ac80effbff3d28e1ca0010738c1ce51104166b3770cb66924f754d1d4a3b7
AgentTesla
d504a9984da543a8ea1904d55aee911590b2635ea6da7e88d118acbf9aff2e79
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211008-z413jaeha8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d434e7cb4105d7e760a39a1a8a1306338b00fbd6507025d53e4c44ede73d3788
MD5 hash:
6613b992e916924c3f38a179bb9866ab
SHA1 hash:
cd5741f4d0a4685c5fd9c9e2e708bbf33ec1691a
Link:
https://www.unpac.me/results/ae023772-f0dc-44e4-975e-4051944a7873/
SH256 hash:
750e0931921e06446f40e5d23df0757a4681507202fdc386181f281ff6065788
MD5 hash:
4314d96f13c0c66bfed45677c0d8e0ce
SHA1 hash:
776c2b4058c90bc7535f317d9c5f24b4d89b1fde
Link:
https://www.unpac.me/results/ae023772-f0dc-44e4-975e-4051944a7873/
SH256 hash:
717ba73af5b437e00cb55ddff65238b4f75ce356c4a10ba07f258ce3e25c7f61
MD5 hash:
eff6ff99fd618366e841f18136c39c62
SHA1 hash:
021968644b41906cb031f6ede85c743c2f9808b3
Link:
https://www.unpac.me/results/ae023772-f0dc-44e4-975e-4051944a7873/
SH256 hash:
dbf947a367cfe28cc7e5e33af9d8aa7fe3166d74d787200b1bcce777ac65efcf
MD5 hash:
1a19bb4c028d7943e65587dc94f38ffc
SHA1 hash:
7a0a462391f53d3421862125b944b1cef9ae988e
Link:
https://www.unpac.me/results/ae023772-f0dc-44e4-975e-4051944a7873/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dbf947a367cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbf947a367cfe28cc7e5e33af9d8aa7fe3166d74d787200b1bcce777ac65efcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe dbf947a367cfe28cc7e5e33af9d8aa7fe3166d74d787200b1bcce777ac65efcf

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/196243/

Comments