MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e58d6b2cd3c5075606bcc5192f0806acc34bb2b5709a0beab4928f19f40a7983. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e58d6b2cd3c5075606bcc5192f0806acc34bb2b5709a0beab4928f19f40a7983
SHA3-384 hash: b100443fbd4a2bfda95a447644f357aa65b48c7078733a32c5b64e6b76aaa3042adc2d63de9317a3f897ee614d9fac86
SHA1 hash: 4c67adea4a632e81f03f1f06d27bbca2e9f3806f
MD5 hash: b178f049b710bfe899f65bde19b31d06
humanhash: item-venus-mars-purple
File name:nueva cotización.PDF.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:771'584 bytes
First seen:2021-04-20 06:47:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:5QmFrovRU/1NmEuUJqeKf3n46nL1yY3TuKU2wNYdbCqgnm3lRzRRRRR0Z7Fd8qY:kU/BuYwXtSKlwCpCqgnmnRRRRRGxdHY
Threatray 4'064 similar samples on MalwareBazaar
TLSH 36F4D02C6644CE52FF2D533C0012E68002E89D765592F65FE9F4B8B9AA735D38E9334E
Reporter TeamDreier
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
nueva cotización.PDF.bat
Verdict:
Malicious activity
Analysis date:
2021-04-20 06:57:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a1e5417-8892-4f63-85ff-a46e5d6675ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/688384
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e58d6b2cd3c5075606bcc5192f0806acc34bb2b5709a0beab4928f19f40a7983/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wgwwlgtyudvmbv4yums6cagvtbuxmvvocnax2vuskhrt5akpgbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
29ebec67d2006c81333565581d8c2b123a3fbeee5123180b25feccb3b02f838e
AgentTesla
4f7f0a1c3a689a98727e06797f7b4fc2c67e843c56b7514b71145242d624f2e5
AgentTesla
52d514639923395c838d6f682c4be02ce3ba7ff3c5de613824e51ce0280a74cb
AgentTesla
67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e
AgentTesla
863d464bb43bda7378c611a5c16410a3c279ca72e447632f5e03f8418f5464d8
AgentTesla
a31924a3f39126f3f253c75ea5b787a4756b885828916ff5bd5b1c9ca9b95c59
AgentTesla
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
AgentTesla
d22703e680337df8913d30ae6c72d715f6f726ad87d6fd5a847088d67c7ae608
AgentTesla
e3154d853187b18659c637d16cb0a1fdd48c1bfa53c5d39aa11e1ed3db471dbd
AgentTesla
ecf592d2aed1d17b4c75e72a40edeb9b4396c8c9181cee7519ebe63bb7391870
AgentTesla
+ 4'054 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210420-w9k16jk1bn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e58d6b2cd3c5075606bcc5192f0806acc34bb2b5709a0beab4928f19f40a7983

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-20 07:01:47 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing