MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7f3e17c20f154836c56c3ff5e70153969c16be46e1fa0055b801427a6f5dd68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7f3e17c20f154836c56c3ff5e70153969c16be46e1fa0055b801427a6f5dd68
SHA3-384 hash: 4835705db2524397402412337f672e267bf197034edc7d88c670bb4a6ea5c4664df850a03a1809c78b30d1470ac89385
SHA1 hash: e8c520d244730af5f7d1c3b1ab3cabb5a9cf3d0c
MD5 hash: e2e0eaf9e813cd53025c3e293297c590
humanhash: november-alpha-whiskey-autumn
File name:PAVLIS a HARTMANN s.r.o.-INVOICE NO. PI30500111& PI30501121.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:692'736 bytes
First seen:2020-10-15 11:42:01 UTC
Last seen:2020-10-15 13:28:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 3072:DSXZILtg9fx+Ph1naimPJsQ5PqzItxbb+G:N
Threatray 11 similar samples on MalwareBazaar
TLSH 9FE4FB3CADD9223796BBD6B6CAF555CBF911794331666C0E90DB03820A03B677EC211E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.kosmoindustries.com
Sending IP: 170.130.183.38
From: PAVLIŠ a HARTMANN s.r.o. <info@kulmanorders.com>
Reply-To: PAVLIŠ a HARTMANN s.r.o. <logspass007@gmail.com>
Subject: PAVLIŠ a HARTMANN s.r.o. -INVOICE NO. PI30500111 & PI30501121
Attachment: INVOICE NO. PI30500111 PI30501121.zip (contains "PAVLIS a HARTMANN s.r.o.-INVOICE NO. PI30500111& PI30501121.exe")

AgentTesla SMTP exfil server:
mail.denafoam.com:587

AgentTesla SMTP exfil email address:
info@denafoam.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71332/
Detection(s):
SecuriteInfo.com.ArtemisE2E0EAF9E813.27676.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492271
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7f3e17c20f154836c56c3ff5e70153969c16be46e1fa0055b801427a6f5dd68/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 09:11:44 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=67z6c7ba6fkig3cwyp7v44avhfu4c27enyp2abk3qakcpjxv3vua._file
Verdict:
unknown
Similar samples:
4492477085185c93963a539b53e4b5b13039562d20131a9a6764c62acf1c8e25
AgentTesla
4ebbe65cfe80f43324e007ecd5a4ae3ce57b0d07873df267e70d2355f06a8199
AgentTesla
5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb
AgentTesla
754fdfd0924f05f11304a3131e908eb9189b31a2d30d50be50420853290bf709
AgentTesla
8490e3d97ac25a9e1e87a0270a30076cc38b75ca705e28d5c78b93968b0231fb
AgentTesla
86432e782ec0089c5cc180a225cf8aff59409c0ef773c0e10e6ddf898b0508bd
AgentTesla
b913e576da11984343f7d0ad9064b36ab0410bc31e686245f29169747ef3cd4b
AgentTesla
c8718b1795499f8f6958c2665914bd1320a4a3a6b039f00d19ab7ca283ffb968
AgentTesla
eff29f6e669e851b8449f4e7dcf2e0ba010e08b3a929c872ee51569b331e67eb
AgentTesla
fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e
AgentTesla
+ 1 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201015-spdcssa8dj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
f7f3e17c20f154836c56c3ff5e70153969c16be46e1fa0055b801427a6f5dd68
MD5 hash:
e2e0eaf9e813cd53025c3e293297c590
SHA1 hash:
e8c520d244730af5f7d1c3b1ab3cabb5a9cf3d0c
Link:
https://www.unpac.me/results/160bf9ca-4067-4bed-b80d-885fad50ab01/
SH256 hash:
ec0317908053f00e5a0a5ac98c005c3e1a6af421b1d0711dda94d5f060c80247
MD5 hash:
d3225899ade2642488b41e003924d9fa
SHA1 hash:
2bcbe3517805dd5126a08a5d6d496b3504b794bd
Link:
https://www.unpac.me/results/160bf9ca-4067-4bed-b80d-885fad50ab01/
SH256 hash:
45ebba606bd1f973356400c12130c218de9ec6574452ea5f1b560af54ae6cee4
MD5 hash:
c6a78c9451495b966538cadfe9e882af
SHA1 hash:
40adc0222496f8a73c827d7aeb9f0615123990fc
Link:
https://www.unpac.me/results/160bf9ca-4067-4bed-b80d-885fad50ab01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7f3e17c20f154836c56c3ff5e70153969c16be46e1fa0055b801427a6f5dd68

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e190e518a11fb74bd318c998a70558443e9d897acdbee5f5dd2d4b836f063ada

AgentTesla

Executable exe f7f3e17c20f154836c56c3ff5e70153969c16be46e1fa0055b801427a6f5dd68

(this sample)

  
Dropped by
MD5 fa0c5e22cdc3256e5ebc6b3596a0d4c1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71332/
  
Dropped by
SHA256 e190e518a11fb74bd318c998a70558443e9d897acdbee5f5dd2d4b836f063ada

Comments