MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f86ae16804864eba0e062dd196a0b46689854fd71b966a5f5ee1621516806379. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	f86ae16804864eba0e062dd196a0b46689854fd71b966a5f5ee1621516806379
SHA3-384 hash:	3423fd37329b957f1829b90ab2a5405387135de5f4fd7ca198fc5f8e703f2c2921c857080965a392bcdb8a8a62b6c306
SHA1 hash:	543582a55873f0da9c94ef97d0539bcaba039faa
MD5 hash:	9a6a2ec73e6c92493234c1ebd1e27931
humanhash:	july-bacon-connecticut-fillet
File name:	Signed Copy Invoice_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	430'592 bytes
First seen:	2020-12-09 11:03:52 UTC
Last seen:	2020-12-09 13:02:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	553802f9e2099976b11882b89029573d (3 x AgentTesla, 1 x MassLogger, 1 x Loki)
ssdeep	6144:63QxRP2N/fnRcd6HoUuklShnVgO1z/jA++7hwGOMdi:NxRgqKuklSlVXtvEq
Threatray	1'774 similar samples on MalwareBazaar
TLSH	D594F101B5E98030E0B353774964EA624ABEFC394A768E9F67D84D4D4A380C1BF25F63
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: speckimoveis.com.br
Sending IP: 172.93.201.144
From: soraia@speckimoveis.com.br
Subject: Signed Contract Copy
Attachment: Signed Copy Invoice_pdf.zip (contains "Signed Copy Invoice_pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/107456/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Emotet.gc.6220.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Creating a file

Sending a UDP request

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/558940

Signature

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f86ae16804864eba0e062dd196a0b46689854fd71b966a5f5ee1621516806379/

Threat name:

Win32.Trojan.Graftor

Status:

Malicious

First seen:

2020-12-09 11:04:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7bvoc2aeqzhludqgfxiznifum2eykt6xdolgux264frbkfuamn4q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5c29a539dce239a74350459e71421bec8f0e925b218aeb8aed8e3067d2ae7f32

AgentTesla

7c49ac4366eb07c5e5a146356908ba9e2e7e1bb2630422821f93530f0e2ec2ed

AgentTesla

84afce79b516a2535b4f063e9dd9aef84aa6288bdc65c4fa5dbbba0bc06727ec

AgentTesla

bee3c64a4d3862a54f11a05303fb39c9768891841673269e477d0d87ec1862e2

AgentTesla

c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25

AgentTesla

e2442b1de26c03cdd8343e1a8f0428a97c341181bc8289d92f2764931dcab744

AgentTesla

f104dda9f5fb6e0f5659843ce1698c2da434fe2cd9e986a4cd410c0473ca6cf6

AgentTesla

f5a368e8e1fd840abbe075db0a30756ca6297af3c9d3a8f9e1998f57e1204cbd

AgentTesla

f70814e5323848f5ef921f93e8a1a9bd2e99dec11777004c59bf989093707956

AgentTesla

+ 1'764 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/201209-azkhejhd16/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

ServiceHost packer

Unpacked files

SH256 hash:

d7cba39babbbb0c9dbe964293bea0c72741b22bbad28ef838c1fbc31fe3a4ab5

MD5 hash:

5302a6a5c3e26191f9197969f66a5b88

SHA1 hash:

bfc4252418dce6943673c0f4b2142270b4ce63a3

Link:

https://www.unpac.me/results/e4c77ffa-e06b-4b17-a1ac-89875822107f/

SH256 hash:

f86ae16804864eba0e062dd196a0b46689854fd71b966a5f5ee1621516806379

MD5 hash:

9a6a2ec73e6c92493234c1ebd1e27931

SHA1 hash:

543582a55873f0da9c94ef97d0539bcaba039faa

Link:

https://www.unpac.me/results/e4c77ffa-e06b-4b17-a1ac-89875822107f/

SH256 hash:

ddb283e1d7fc94963c6f0b171d7a6fce31aea89a02b3d1af0281d88449c4aa67

MD5 hash:

a38077d69a2b8b7ef0ed11f83b2d219f

SHA1 hash:

d3529faaf2fa9c8f5017f4bbc6c5e9542aa27618

Link:

https://www.unpac.me/results/e4c77ffa-e06b-4b17-a1ac-89875822107f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f86ae16804864eba0e062dd196a0b46689854fd71b966a5f5ee1621516806379

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.