MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2107af67057a683b0f47e63cc4f348747945cba5255da566d8bf65a1a26b47d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2107af67057a683b0f47e63cc4f348747945cba5255da566d8bf65a1a26b47d
SHA3-384 hash: 13468e6e085c85fc62ef0fb000166789ddbe2402f9d66763715135551f74142a7771a104e84ed9b9d5ad95fa19c847c0
SHA1 hash: 8303c672113bdfab81ecc24bfc15acc297e04f8c
MD5 hash: 9c34dad55a706f320e90cfc52aa23e8a
humanhash: juliet-jersey-sad-salami
File name:NEW ORDER FROM AUTONOLOGY CO.,LIMITED_PO#7A68D20.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:675'840 bytes
First seen:2021-02-04 13:01:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:bZi9709qG6SPrnaF/YCcpA7/Q/A4dYp/fAzZlqESr/OfMhXT:bZjPrnaQCcObQnO3K8EyOfcX
Threatray 2'438 similar samples on MalwareBazaar
TLSH D2E402062EFC5F17C6B57FF60E70E01873B9855A285AD3458EE22AC81934F994D80F87
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER FROM AUTONOLOGY CO.,LIMITED_PO#7A68D20.pdf.exe
Verdict:
No threats detected
Analysis date:
2021-02-04 13:03:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6fc97a0c-e8e1-487b-b48c-d1ddf5f3f1bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115626/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/599249
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2107af67057a683b0f47e63cc4f348747945cba5255da566d8bf65a1a26b47d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 10:00:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6iihv5tqk6tihmhupzr4ytzuq5dzixf2kjk5uvtnrp3fugrgwr6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05035270f8764166652b1ca9ffcd39d1533d507d22debea6d8e93fe7d52f260c
AgentTesla
3234bc748b81ebe0c42c05f8ba90d5938664be2d70c2326d52e5b2dbde7cdc12
AgentTesla
4df82c087abde68f33236754d4c234e2d4f4cd24cdc44d3350dbbe69da58dc91
AgentTesla
8a13494953554ec0315e8f31ece8fc8a0f8ff12de3530680555eb37686434dc4
AgentTesla
8ba74fce8f25f937a52924d7a3fcdb6ebce1e33189bbf2d956df1f48b4337c70
AgentTesla
abd5600b6b5f6228c095e5703429fbcecc647611fadd3e49090fbb70a8cfb728
AgentTesla
c45d3f56c8f4688a3b33b66caac9c09129f710c0350ce19ec07f1b55616fc832
AgentTesla
e2337e4c1315124c2a03694e0a37bee49d7aabe445b3a988ea619769019eacc2
AgentTesla
f730752f0004b350ae3feabc65cad92908079f4ced927cf320228621eec9bac8
AgentTesla
fcd247261215a170a1644a7abd0c4003b21a81fb0dbdf928831351905e31388a
AgentTesla
+ 2'428 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210204-l7l6tg876s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla
Unpacked files
SH256 hash:
697a317d334bb396a4f2780bdc856403ba1df6c21fa3fa42d9064b86c30a263c
MD5 hash:
8801e6f408ee7061d7e9d05f1407c5e3
SHA1 hash:
e9b8fe524b039ef8ab3fbcaeaf000cd1cbd41533
Link:
https://www.unpac.me/results/a8833353-0db7-40e6-bd7d-0bf792d88a32/
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/a8833353-0db7-40e6-bd7d-0bf792d88a32/
SH256 hash:
881d1f8b35f1ec37cdca2fc6d20b972b1e1246edbc877d523a34f4dc4085c009
MD5 hash:
b963ecdc7c682d704f9082808830ea8f
SHA1 hash:
cc5024a28a6874a9e9f8848831fc98033cfee010
Link:
https://www.unpac.me/results/a8833353-0db7-40e6-bd7d-0bf792d88a32/
SH256 hash:
f2107af67057a683b0f47e63cc4f348747945cba5255da566d8bf65a1a26b47d
MD5 hash:
9c34dad55a706f320e90cfc52aa23e8a
SHA1 hash:
8303c672113bdfab81ecc24bfc15acc297e04f8c
Link:
https://www.unpac.me/results/a8833353-0db7-40e6-bd7d-0bf792d88a32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/f2107af67057a683b0f47e63cc4f348747945cba5255da566d8bf65a1a26b47d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar b8f654dc4db8fb88a702639d4bab7350d2762507ecc4a40e93672b9f2ebde0a3

AgentTesla

Executable exe f2107af67057a683b0f47e63cc4f348747945cba5255da566d8bf65a1a26b47d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b8f654dc4db8fb88a702639d4bab7350d2762507ecc4a40e93672b9f2ebde0a3
Cape
Cape
https://www.capesandbox.com/analysis/115626/

Comments