MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1117b5ae3e0424b17971fcd47d27d29f26f2bd40f5f899bdabcdcfa68a57e6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1117b5ae3e0424b17971fcd47d27d29f26f2bd40f5f899bdabcdcfa68a57e6d
SHA3-384 hash: ca763ab499829b8fecfa33b4cf0bdf60cca265944657108bb9734e72311ec4fcdb9d2c34d0b187f1cf2a2cdec0fdb1b2
SHA1 hash: 0942bb2c150d8fba128ef3acbb30da6536ad178c
MD5 hash: 56f24734839645bc71d9e354413971b9
humanhash: tennessee-moon-cardinal-north
File name:MV NAHIDE-M EDPA REQUEST FOR SHIPYARD CALL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:954'880 bytes
First seen:2020-08-18 13:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:qF9wY5o/IXIBwun6g9e4EcmZHAFaxmVmie9bngPemQLtRh7:qF9Bo/IXIGJg9e4EcmZHAFaxmVmie9bL
Threatray 9'166 similar samples on MalwareBazaar
TLSH 05151A5AB392F15DDECA1EB654291CF8838E6F21811178FB3541BDB673E9DF1060223A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: swn0.719.zazomika.ml
Sending IP: 157.245.100.117
From: Panlink Shipping Agency(Jiangyin) Co.,Ltd <agency@panlnklogistics.com>
Reply-To: howardbrisson@gmail.com
Subject: MV NAHIDE-M // EDPA REQUEST FOR SHIPYARD CALL
Attachment: MV NAHIDE-M EDPA REQUEST FOR SHIPYARD CALL.rar (contains "MV NAHIDE-M EDPA REQUEST FOR SHIPYARD CALL.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47911/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1117b5ae3e0424b17971fcd47d27d29f26f2bd40f5f899bdabcdcfa68a57e6d/
Threat name:
ByteCode-MSIL.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 13:22:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4eixwwxd4bbewf4xd7guput5fhzg6k6ub5pytg62xtopu2ffpzwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
239a40118ca9473eb4be7f1bcf0fbb00c93b7213926402d93074b2252bc72092
AgentTesla
490ae9b839a658e4f14383fa7db7359dd1de83ed56f644c281e81e91895bdce3
AgentTesla
68b6aee99f9d4bf184c77beacb3b8a418f84a7efa606e5bd7f4fd57edb904054
AgentTesla
6dfcd16fd49c65c541603ff162b0614aabfc70548455b21c3877240855df12c8
AgentTesla
7867241670b0fd664072e1bf555bc56b8291a80e01adeebcffcc768a0e88c117
AgentTesla
9b71ca5e5e3faf0bd77b6f6d370d5aa32dffd3e2019b15624a544487895f82f5
AgentTesla
a35e2cdf735f7548734e3a0647849754ce8b180809438efa67ae280454831443
AgentTesla
c962bb037efd22fbe3a0754054f411e8cf2f29a4e2dcb3aa5c0e15f8e4a77feb
AgentTesla
ceabc6af60d4bf77f5610a2194219bafeb96bd7fc94ab35d6ae51e7459298d7d
AgentTesla
e380dd9160bd4addca9a318590214df89713f9bcc7f9c0eede48f452274c8e82
AgentTesla
+ 9'156 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-p1whqn7c9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1117b5ae3e0424b17971fcd47d27d29f26f2bd40f5f899bdabcdcfa68a57e6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar dcca2b71be058054dd0b9393ab5b02a8ba569640fb96fe5d1629acccce179804

AgentTesla

Executable exe e1117b5ae3e0424b17971fcd47d27d29f26f2bd40f5f899bdabcdcfa68a57e6d

(this sample)

  
Dropped by
MD5 71f0fc17c747b38fbb90c843475bb97f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dcca2b71be058054dd0b9393ab5b02a8ba569640fb96fe5d1629acccce179804
Cape
Cape
https://www.capesandbox.com/analysis/47911/

Comments