MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1536e8e12d95c8e705387cc6ca8c14dad8e7d3f59ba7971a25cbd05b48a04d0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1536e8e12d95c8e705387cc6ca8c14dad8e7d3f59ba7971a25cbd05b48a04d0c
SHA3-384 hash: fb5e9f972c3530a4fbde5722194a0a729bc6e612778d8ec7714f8493c1dfaa5c8d6184f04e4dea62ea87b3d81b2ed367
SHA1 hash: e780d2381b71d56ab754ca04753d62115956d139
MD5 hash: 04eff37e80dd30fb1aac3b3dc60cee33
humanhash: rugby-avocado-oscar-social
File name:ECS9522020080419190039_817_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:763'904 bytes
First seen:2020-08-04 13:12:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dwQKXbpCvLpthTYgFt5Ub0BtRVjdNAqSUisULO/Zxxc:SQKlwLzhpteKtzdNAqK+//xc
Threatray 46 similar samples on MalwareBazaar
TLSH B7F48EC0B1232993DA7892F51603211047B13A1EB9ADE3EA5DCFF2D765FAF441952A33
Reporter abuse_ch
Tags:AgentTesla Citibank exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: citi.com
Sending IP: 213.227.155.13
From: Citibank Paylink <paylink.india@citi.com>
Reply-To: paylink.india@citi.com
Subject: Payment Advice-BCS_ECS9522020080419190039_817_952
Attachment: ECS9522020080419190039_817_pdf.z (contains "ECS9522020080419190039_817_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38681/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/409418
Signature
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1536e8e12d95c8e705387cc6ca8c14dad8e7d3f59ba7971a25cbd05b48a04d0c/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:14:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cu3oryjnsxeoobjyptdmvdau3lmopu7vtotzogrfzpifwsfajuga._file
Verdict:
malicious
Similar samples:
087ac99d4d33bb73d2e7e11b592a2a7e07fb775de4c97264d7f3b2e1a51f9669
AgentTesla
1d9e325f6d234c3d212243a3924f25a2e4acce0db718c57a52480e6994b5e173
AgentTesla
211abb81c05810e3f08608a7035e8c4c3337de419e63257b4c3e4a1d2669aec5
AgentTesla
4b9f712433c48ac510be9620a98f09883e4c363c2c265c3534a381c3cc17b932
AgentTesla
5d0fe828d087e58c38d1724aeced199e4fb352535621e09ab4875a2f960ddabb
AgentTesla
7ed29b5971fdfce885116395debc7289bf0e27966e6c72e41f0e6902b30c6575
AgentTesla
92227e0112ce45a2da5a726b14a6b573781f3da9e420c952fd10f6b22ca9c2b2
AgentTesla
9d839079365af7cef63e51d9b4e8f751272cb753852dc67092ae84dde4bf1778
AgentTesla
cc86bfa00eb04de2849ee30eab7202d0e3fcd0af3e596c4c4f0bc0e569b4a8b8
AgentTesla
fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493
AgentTesla
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200804-q2l2pc194n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1536e8e12d95c8e705387cc6ca8c14dad8e7d3f59ba7971a25cbd05b48a04d0c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e6ac7bd584a8dbe347c4499fb4ef4572

AgentTesla

Executable exe 1536e8e12d95c8e705387cc6ca8c14dad8e7d3f59ba7971a25cbd05b48a04d0c

(this sample)

  
Dropped by
MD5 e6ac7bd584a8dbe347c4499fb4ef4572
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38681/

Comments