MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef4d3f34b44a0a8ad538f2e3190b5754836af692d79003ca083883ba00fc60a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef4d3f34b44a0a8ad538f2e3190b5754836af692d79003ca083883ba00fc60a9
SHA3-384 hash: 9902c2ce3fa12765d49f63a58eb8dc112655e780c005d51c268c360740f520d31acc647c1f9bea341fc47590d3075d93
SHA1 hash: 570943e185a8775ca3031828b95bef8de9c83ff9
MD5 hash: 1eac8f5b0920409475e96ef8524cd47e
humanhash: sweet-victor-alaska-eighteen
File name:Accounting voucher display doc_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:942'080 bytes
First seen:2021-03-31 06:44:31 UTC
Last seen:2021-03-31 07:56:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:TnuZ8Vnvyx6yQOpkrgCVTbaakxaM9qBxaM9qhdThRdbN6ksw10tT:TuZ+nQKHTsxF9SxF9ehYZtT
Threatray 3'667 similar samples on MalwareBazaar
TLSH 2B15E02DB75967D3C32E0EBAC423154483F185977372F2DB58E01DE08851B8ABA5F1EA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.inebenthe.com
Sending IP: 185.121.120.169
From: "Sherin Cherian" <postmaster@inebenthe.com>
Subject: RE: Update:: Pending Payment
Attachment: Accounting voucher display doc_pdf.cab (contains "Accounting voucher display doc_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Accounting voucher display doc_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 07:01:22 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/9bfaf49b-d0e0-468b-872a-0c15f7d1eee0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129151/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.9944.25087.22378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660054
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378954 Sample: Accounting voucher display ... Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 8 other signatures 2->40 7 Accounting voucher display doc_pdf.exe 15 6 2->7         started        12 kg.exe 2 2->12         started        14 kg.exe 14 3 2->14         started        process3 dnsIp4 32 192.168.2.1 unknown unknown 7->32 26 C:\Users\user\AppData\Roaming\...\kg.exe, PE32 7->26 dropped 28 C:\Users\user\...\kg.exe:Zone.Identifier, ASCII 7->28 dropped 30 Accounting voucher...lay doc_pdf.exe.log, ASCII 7->30 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->42 16 cmd.exe 1 7->16         started        18 kg.exe 2 7->18         started        44 Injects a PE file into a foreign processes 12->44 20 kg.exe 12->20         started        file5 signatures6 process7 process8 22 conhost.exe 16->22         started        24 reg.exe 1 1 16->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef4d3f34b44a0a8ad538f2e3190b5754836af692d79003ca083883ba00fc60a9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 02:22:00 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=55gt6nfujifivvjy6lrrsc2xksbwv5us26iahsqihcb3uah4mcuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04b1d133828aae492d8201b04e418e467450f33be15eca63e7b16ac9094ee450
AgentTesla
09f9071b686b6820fed8af5f6be019e9a0d4624e3c999f4e3ca0cdb32740cc41
AgentTesla
335ba9dfb3db9d279eee99c95d4417bf9a15e23e8924f131477f2826f73558d9
AgentTesla
400b1bf4c7139f7df22748d627aeb7789dd409ae463a0f8fb7d6fa243065d140
AgentTesla
99a9903d77272e93c262ae1391ef64f0639835f0cc9fc8b07f6fbc4d1bf40c5a
AgentTesla
a1297ad5970529014466745cbb2d1615ba88de8e062e77101fab26937ac518ac
AgentTesla
bfa9dff1901281ac2dcaa21c9d35a708b7f4562088f2f6a2b5d20d4ca6a95d21
AgentTesla
ec694537528f39e61c4a295e99932641ac2660f8580911790926294c4a190afc
AgentTesla
f07e0500a867708c2b93d0b15504c02faf60a1e69968dd46c246918445975ba6
AgentTesla
fe0a5fde4fbbddd79d2938af2373c69a8219ea73831be712f1bca86150a30461
AgentTesla
+ 3'657 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210331-b6dax2j7mn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ef4d3f34b44a0a8ad538f2e3190b5754836af692d79003ca083883ba00fc60a9
MD5 hash:
1eac8f5b0920409475e96ef8524cd47e
SHA1 hash:
570943e185a8775ca3031828b95bef8de9c83ff9
Link:
https://www.unpac.me/results/f0420236-9b2c-439d-bdd0-1d5f36dfe27a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef4d3f34b44a0a8ad538f2e3190b5754836af692d79003ca083883ba00fc60a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 27474c990ba223ff89d638c91e706f1b50c607c58bef7efef185efea85e7dd20

AgentTesla

Executable exe ef4d3f34b44a0a8ad538f2e3190b5754836af692d79003ca083883ba00fc60a9

(this sample)

  
Dropped by
MD5 bf8e7e5d40a1cdb1c277efde53a43954
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129151/
  
Dropped by
SHA256 27474c990ba223ff89d638c91e706f1b50c607c58bef7efef185efea85e7dd20

Comments