MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e50b895ed10c7cc4ecab501bf363451c24b654e3c3da3ef889a6bd13856bd12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e50b895ed10c7cc4ecab501bf363451c24b654e3c3da3ef889a6bd13856bd12
SHA3-384 hash: 44c14b2e8743c1eae6b09d9cfba4a045bdf30ac6545f4238441227003339666a63c085ee0e9491299daebed6a6ac8e6c
SHA1 hash: db0f0750d0bbe620db17a719f74c06746a2e05de
MD5 hash: df77aaa6e3e3aa36d253ef893063452f
humanhash: maryland-tennis-violet-jersey
File name:Payment 67830.00.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'072 bytes
First seen:2021-07-22 13:03:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:wn0OAfW+vT15kICu0WIv6nm/HGwMuev0WfcvHVU/vDE232syaUVKnp:03AOyT8hW7jruev0WfcPGizahp
Threatray 7'223 similar samples on MalwareBazaar
TLSH T155E4D174A31BA708CD3883FD2C15D15127FAA01E936DD6782E98907CBCB2BBC5BE1651
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment 67830.00.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 13:18:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/200a3c80-020e-4734-9452-eead8f47584a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173329/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afdb705e-a34f-41a8-bfc7-2deb92e063b2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/820129
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e50b895ed10c7cc4ecab501bf363451c24b654e3c3da3ef889a6bd13856bd12/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 01:43:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzilrfpncdd4ytwkwua36nrukhbewzkohq62h34itjv5cocwxuja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f2f011ab5408672f97b1fca323554daf40b35bbfed4e587bcffea8a08ccf979
AgentTesla
1ba742a8035002362e46828bcb7a24342bed430d6bcd59999afd520dba3de81e
AgentTesla
2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1
AgentTesla
3a7f7469b6baed39f60bad2beb6828ad1705cc49dfc9beaa89062953bd11ea42
AgentTesla
7b8353f603a3cbc9e87b5845409c451fc624d6757cdb93255e5fa4bec5737b21
AgentTesla
8e7ebca2166256f89d506b309b900d60abf4118d2b76a802fb0ae347f59081b7
AgentTesla
945fd7f1f9295af69bb5799a43d96d370c2e38ef08b4fc9b8258031ff99723f4
AgentTesla
a6169937c872aefc3f1e5c13e40f05d9cb0cbba3a16490f134b810b47027b035
AgentTesla
b6f371e3895f840676f1b3716f92f078ae5b57d80b19adece970e4e013700e60
AgentTesla
f7b11103bbd791d5c2452275ff23fe51eff41ba5071ba015ef50672138c9b459
AgentTesla
+ 7'213 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210722-vc6zdm6bln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e715ac0bdabb1a11d92223d7abf0cc9d0f558a4021a39bce6261e4279aa694c1
MD5 hash:
b62396a35d88e5843a966f39d265ad61
SHA1 hash:
d8a8d565417a58a89cb105e17ce6e636bb7ecee9
Link:
https://www.unpac.me/results/713be5e5-f83e-4f76-86c2-bf5a13ecd491/
SH256 hash:
56ff652fb9a29c04272af9e72c67f64d4e0a18b8a492e9230418257e4bd04423
MD5 hash:
4d0bf5b85188aa1c0d4cf43bd5f3c4cf
SHA1 hash:
b6152accd1671d7fd142c7e8648fc5819097f1fb
Link:
https://www.unpac.me/results/713be5e5-f83e-4f76-86c2-bf5a13ecd491/
SH256 hash:
2a5443bd02dd8dc75c0e54c0efcc7e3c2f1731d1c262352d21076b48809e5aa6
MD5 hash:
54a8af2287e810f78030272296c89b70
SHA1 hash:
2fe3e8f01c8c26280b39dd70b551eb3a338e38b2
Link:
https://www.unpac.me/results/713be5e5-f83e-4f76-86c2-bf5a13ecd491/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/713be5e5-f83e-4f76-86c2-bf5a13ecd491/
SH256 hash:
0e50b895ed10c7cc4ecab501bf363451c24b654e3c3da3ef889a6bd13856bd12
MD5 hash:
df77aaa6e3e3aa36d253ef893063452f
SHA1 hash:
db0f0750d0bbe620db17a719f74c06746a2e05de
Link:
https://www.unpac.me/results/713be5e5-f83e-4f76-86c2-bf5a13ecd491/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e50b895ed10c7cc4ecab501bf363451c24b654e3c3da3ef889a6bd13856bd12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/173329/

Comments