MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee5571110d6b005c3de5cbe9672640254c3129f2b523a357da6f163a1b827c47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee5571110d6b005c3de5cbe9672640254c3129f2b523a357da6f163a1b827c47
SHA3-384 hash: c4138e7cfd2d683c35d951064972c1ba7481c8d1b47cdf10e5c50247d0763f96dea1f6d6f43ac87fdf55f9528b642cda
SHA1 hash: d5952b41f903a3e980c9b9e2fbf8a1de3bc431cf
MD5 hash: cd6c7cebe32c01a2efca4ce22ba7ac8f
humanhash: triple-thirteen-shade-eight
File name:cd6c7cebe32c01a2efca4ce22ba7ac8f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:558'080 bytes
First seen:2020-07-10 07:40:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:nIU+Hg8Tk3nk0jskko0kkTmZjJU+Hg8Tk3nk0jskko0kkTmZj67xaCEnHhr3XM8b:IUB5JUB567vE53c8uykci7OQLltShOA
Threatray 10'836 similar samples on MalwareBazaar
TLSH 69C4DFFE32645727C419B179C85AC63953302C57B410E2566BDEFF8B30F2FA741268AA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
bh-58.webhostbox.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24302/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee5571110d6b005c3de5cbe9672640254c3129f2b523a357da6f163a1b827c47/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 03:31:24 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zkxceinnmafyppfzpuwojsaevgdckpswur2gv62n4ldug4cprdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
076580e45581e858d016af8b610744d3c83bdf83c62066178dff04db7ac71e97
AgentTesla
0ce08df0b3611911bc5afc8a1cca8ee808bcc0c4d7224910fad496244c38e47b
AgentTesla
223d7fdd2305def16cd0c966c3bc4a9094dfb6ba951f46c3f868d9a713db30f9
AgentTesla
46a0eec66fe310840b94df8426bbffb48147f288e8c99dc94e8ff10aec4d263a
AgentTesla
68f2555170447ba9d31f0feb42074fc3764543a705a08c938e93d2c6e574d83a
AgentTesla
8416f3621c432bad0ab9877e3f9dc77ea9a3e1dfdbabef28b71059604b9fab04
AgentTesla
92dcc5b8d659d632e41ab1f27b1d0ee2062d46c82a71d06a6c3c6c4e63c7293e
AgentTesla
963187e0780a5447539322536555e2e3898d85dfb6762e6f63d2bc634d6fa6c7
AgentTesla
c8f33116c7687f9356ff635c3aeda9244900cdcca560792079389d838940c25a
AgentTesla
e0946b05635011f81ce5534b1d49bec2dd2cb184af87c7ebea2f55d91e0a07cf
AgentTesla
+ 10'826 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200710-nzxyj15q86/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ee5571110d6b005c3de5cbe9672640254c3129f2b523a357da6f163a1b827c47

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/24302/
  
URLhaus
https://urlhaus.abuse.ch/url/408190/
  
Delivery method
Distributed via web download

Comments