MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdaff5b7230a045f22dcafc4da592c42c3386770c58757cc825a99fcef5f1f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdaff5b7230a045f22dcafc4da592c42c3386770c58757cc825a99fcef5f1f78
SHA3-384 hash: 07eaea4a32a76fff29bd68645292c930db9d1f0f69fc5a01ba5912902b2517d8a7c188e0bdb2ac13b248525c7f39b72a
SHA1 hash: 0a580a7ca5e1e2128ab507e644df45c54d939192
MD5 hash: d4ac2e301d054744db922f396d497a1f
humanhash: illinois-leopard-double-jig
File name:Purchase Oder List.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:656'896 bytes
First seen:2021-07-27 06:10:16 UTC
Last seen:2021-08-10 08:35:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wOsBgo0q4wMUsutJ0PNXVGYC+0quXXkzItj+DFZWWwobEnNeUJ:wOsBgo0q4wMEJQXd6qYXkkcJZzwHNe2
Threatray 7'399 similar samples on MalwareBazaar
TLSH T168D4DFF5193E770BF49309FE20B191A329A484E9CCA9CBE4F73351ABEF254576081786
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Oder List.exe
Verdict:
Malicious activity
Analysis date:
2021-07-27 06:13:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59a1cbfd-5bdd-4e95-b180-19148c66de24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174235/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/644d1871-fa25-4da5-aaf3-5d72519ff7c6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/822130
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 18:34:23 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wx7lnzdbicf6iw4v7cnuwjmilbtqz3qywdvpteclkm7z327d54a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16546ba120d0a98d46a555fd902027b72df65375aa7e8b8f565e089c5c884315
AgentTesla
305ff91660cc5f742e0689b4e929725c874941242ffffb85247dde1b84ca8e79
AgentTesla
35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0
AgentTesla
46aaee021fec9564e323cbb46072b15696f53cb48e153a6575ec8abc8feba35e
AgentTesla
89c562cbdc638efa1bce47475206531f66722c0e5a9703e6777ac35547befa2c
AgentTesla
9f7839d9c6a416498f9db038182face0e857a56e83ecf1902c2c664bb1269faa
AgentTesla
a7d774cedf27c9fe62ecd68b359cf5e51e70533e932a9827bbeadd074513ecef
AgentTesla
cd71be4c68543a67557c0a3298ec184f9d60e8c84237aa598e351c056d884b5f
AgentTesla
f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031
AgentTesla
+ 7'389 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210727-nm48v4thp6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
199cd4b22f9d75effef5b7dc4ec2523741f699673d59f252c9a695baee72d481
MD5 hash:
69c5e5320669475212b885e8641dc3d5
SHA1 hash:
8fd91fe7b9f9b98374230d91a759784bc2b8881c
Link:
https://www.unpac.me/results/7c3c71c6-7464-4622-82a7-4a1a40fc5eb6/
SH256 hash:
76493a819b77e745c6563eb6428c8ec046a7d11cf6b8128f2b7b2a9e849b8fb3
MD5 hash:
397c678bd4cc8432cd5315e6c2499d7a
SHA1 hash:
6e711d8da76e166a235067267228a8a8601c20e2
Link:
https://www.unpac.me/results/7c3c71c6-7464-4622-82a7-4a1a40fc5eb6/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/7c3c71c6-7464-4622-82a7-4a1a40fc5eb6/
SH256 hash:
3b122cd983700c6b840006fb582e38feae4f55e230d5096a40fd278fa3e7c4dd
MD5 hash:
604e959d9abf7f6de7c285f89726eced
SHA1 hash:
0775f469c7c38ed600237436d00e6e20d51e3db0
Link:
https://www.unpac.me/results/7c3c71c6-7464-4622-82a7-4a1a40fc5eb6/
SH256 hash:
fdaff5b7230a045f22dcafc4da592c42c3386770c58757cc825a99fcef5f1f78
MD5 hash:
d4ac2e301d054744db922f396d497a1f
SHA1 hash:
0a580a7ca5e1e2128ab507e644df45c54d939192
Link:
https://www.unpac.me/results/7c3c71c6-7464-4622-82a7-4a1a40fc5eb6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdaff5b7230a045f22dcafc4da592c42c3386770c58757cc825a99fcef5f1f78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fdaff5b7230a045f22dcafc4da592c42c3386770c58757cc825a99fcef5f1f78

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174235/

Comments