MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff03da5b3cba7508342fef365f2389ad275468e33405009ba157b4f7096bc2ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff03da5b3cba7508342fef365f2389ad275468e33405009ba157b4f7096bc2ca
SHA3-384 hash: c4f722a80c9bca6943b3c0524329dcf618df7ca231c7a1c2c9e69ed70127417c66d4c1b2a7c4d4a58fe456900f903e63
SHA1 hash: cd9aaa91869c85fc68fd1f42c1b4068c8d62959a
MD5 hash: f35f2406a393c92b35d6e10686e81195
humanhash: massachusetts-nevada-gee-three
File name:Purchase order LN20210201125010101.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:681'984 bytes
First seen:2021-09-07 10:17:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:lN9FJLgGqib7+xzde+HpULoh7+1OPDlqa6MnXkOF4d3vLS4PxwYt7+Lts:zcxZZHKEV+1OPDsF5uODSU7t7+Lts
Threatray 9'605 similar samples on MalwareBazaar
TLSH T182E42C3E18FE23279176C7D5CBE48823F6C498AF3233A96467D747664316A4635C322E
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase order LN20210201125010101.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-07 10:18:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a7e1ca45-28a3-4d78-b1fc-b47ac4f117a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185992/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e436c9f3-5253-4b64-822e-e36989392bbd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846502
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff03da5b3cba7508342fef365f2389ad275468e33405009ba157b4f7096bc2ca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 10:18:06 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=74b5uwz4xj2qqnbp543f6i4jvutvi2hdgqcqbg5bk62pocllylfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1ccc5bced31180423f20702c5824e3f1891a873b8058ed94bb4d457379cd7652
AgentTesla
3686959402c512154fc465117581958b97fa7c74657eb9909f31a6befb878e95
AgentTesla
4257668544f82471d6be72eca158de2d80011072ba2954b06fbae4ff6a71b4d2
AgentTesla
5693b238c29b2894b4bc466f57b135f9201f664cbf8b5695fe632eeb602bb3be
AgentTesla
a13818c085ae6a086b8020857d505758c9a4be67da60651ed90cbbd0aac2fd60
AgentTesla
a370e5a3dd41bceb949fcea42272ff34bd430535345316fb220c8a2c4420048e
AgentTesla
caee115a3bb2028fd81681b1fef997f87893c603dd42ca0932896029424ed1e7
AgentTesla
e8b03eba180b1a2c6da3c0225b919ea0e5f69b76d3281b4d02ce318c6aa8dd03
AgentTesla
+ 9'595 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210907-mbyqgsffbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
10a6b3ecb9107dcbe6d2ad957a4e90d5e3312e4e750df64f54091e773ecc712f
MD5 hash:
3d736720660862dfbd1cbad4470162d5
SHA1 hash:
e50ecbfe8d3e4faf784441d950fb7695129efb1d
Link:
https://www.unpac.me/results/cd67b3f9-55ad-44c4-aba9-0bab048c8ac7/
SH256 hash:
8fc36fccc0b82f2d2ab58f42e57026db47de09718bf503181859a4ea87abfde0
MD5 hash:
10c8b1a709e1866cc7d22fe0ec142cb2
SHA1 hash:
df291bb6a689c755cc2b73fa1a32a6685bbb7fb7
Link:
https://www.unpac.me/results/cd67b3f9-55ad-44c4-aba9-0bab048c8ac7/
SH256 hash:
9a569be1313734a7a5657149f890204e1246833e80ac0e45c15b9ebc972cfa99
MD5 hash:
db1ca79a10eb8debc020653b67a41ed4
SHA1 hash:
c9aff868749946879d85e0c75c11a085d3c244c2
Link:
https://www.unpac.me/results/cd67b3f9-55ad-44c4-aba9-0bab048c8ac7/
SH256 hash:
ff03da5b3cba7508342fef365f2389ad275468e33405009ba157b4f7096bc2ca
MD5 hash:
f35f2406a393c92b35d6e10686e81195
SHA1 hash:
cd9aaa91869c85fc68fd1f42c1b4068c8d62959a
Link:
https://www.unpac.me/results/cd67b3f9-55ad-44c4-aba9-0bab048c8ac7/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff03da5b3cba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff03da5b3cba7508342fef365f2389ad275468e33405009ba157b4f7096bc2ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ff03da5b3cba7508342fef365f2389ad275468e33405009ba157b4f7096bc2ca

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/185992/

Comments