MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f39980b6f513345fde2aad18cb790595c8cb64139cb0aa1686d6c4e7c8b24e2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f39980b6f513345fde2aad18cb790595c8cb64139cb0aa1686d6c4e7c8b24e2b
SHA3-384 hash: 29f042c553f6f57c27c5262c5ad01ea6f95b27a3858362ff58c4a4fedac152e6344fc8ceaeda81f096279ea4787343fd
SHA1 hash: 669e84965dcfcd23e15f33e4498ef93657ac86b0
MD5 hash: 464f7da3da9b44d00b0c7b5f23e69bcb
humanhash: speaker-india-two-juliet
File name:Purchase Order_P2C017400.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'156'608 bytes
First seen:2021-04-21 01:27:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:j2DDbHzDSZEMu6cDOfB24Ft7lDb26NrY4Ad++++4+++++++0+++++++:j3GMu5RUt75NPQ++++4+++++++0++++6
Threatray 4'828 similar samples on MalwareBazaar
TLSH 4E35AE257554B2CEC52ACE32CD24DC70A7122DA7D303E607A0DF3D9BB95C2A7EE151A2
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/141137/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.658-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f39980b6f513345fde2aad18cb790595c8cb64139cb0aa1686d6c4e7c8b24e2b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-20 14:21:34 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6omybnxvcm2f7xrkvummw6ifsxemwzattsykufug23copsfsjyvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bbd6e19f9b1db43b341ac6abb2be9a323d289ea751b1bfb7aa928dfd2c6fc4d
AgentTesla
0e8f5b7bb9a8fb551c67b15bd74cf530324e939b8acd491fac54a7a64a51b568
AgentTesla
16371a4c00dcbafa63e93f577306b41caa10d8a567678a7bb3ed54ae1b4cd993
AgentTesla
482e088e44a3e514ac0336587be7d148c85b9264b764ff83441d6ef5f2baf110
AgentTesla
84035c7dd4f195653fd4dec1538e98f9181c74b8eebf9d6415d5cee1616c400c
AgentTesla
ad306f9b10c9cd26497ef01c1c941f4445db27befb24c07c5398f398f9f3ebaa
AgentTesla
b165908b32c13d51cb88b0747c817422a78704b36058b979690ccfae55646310
AgentTesla
cc88bd3a08611e1f813dc1a9885ca7cee62e0c6fba330d9f8dad89f01e319b2b
AgentTesla
dbcf725538c71ca1b75d9bd06ef399ca8cd69d26151d1f84d3f0b62bef1ea03d
AgentTesla
fc8d2060f52b693d1745bac54a0943292519d643917590d4ded54a9cbd96ea7a
AgentTesla
+ 4'818 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210421-ct7vfgpdf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f39980b6f513345fde2aad18cb790595c8cb64139cb0aa1686d6c4e7c8b24e2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 3eae1597c4c58b77e8031b3d272624ec32e16fcfa5095d626925cda7c4846cbd

AgentTesla

Executable exe f39980b6f513345fde2aad18cb790595c8cb64139cb0aa1686d6c4e7c8b24e2b

(this sample)

  
Dropped by
MD5 aa9a3ddccc0ca7988570e1c28d19d92c
  
Dropped by
SHA256 3eae1597c4c58b77e8031b3d272624ec32e16fcfa5095d626925cda7c4846cbd
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/141137/

Comments