MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17ecd0fe2c42c7cd07ffae7347ea8739306df44c1c96dff0a5debabd6ba8f7ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17ecd0fe2c42c7cd07ffae7347ea8739306df44c1c96dff0a5debabd6ba8f7ca
SHA3-384 hash: 635669a94c35a50327382d8343531fa2efaffe7fd0b9f0097957288956da84ed2fe99f68ef37cf23df7fd5a3bb3615d9
SHA1 hash: cb0fd92569995a32ee205cd2804b93d9752c0d4b
MD5 hash: 4e093a671799ddd0aa2805620da12354
humanhash: pluto-early-equal-mango
File name:cash.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'278'976 bytes
First seen:2021-06-22 13:59:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:f/hQKLOauG9ccQbyubTB0e5070+6ZZZZ68294r:WKLfYlbTBi3q
Threatray 6'033 similar samples on MalwareBazaar
TLSH 90459D1DA45E9963D7AEFA788AF6BE80E33C93947C7FD123053204BAE968D8D11574C0
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cash.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-22 14:02:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b9deee12-b555-495b-8773-622b6d90ff20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167584/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20210622-1102.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46ac5f22-0d66-4693-bd4a-d9770e0f89d3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806003
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17ecd0fe2c42c7cd07ffae7347ea8739306df44c1c96dff0a5debabd6ba8f7ca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 08:13:03 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7wnb7rmild42b77vzzup2uhheyg35cmdsln74ff325l225i67fa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
000f72da09396d3bf401f056b888a2c5d2b9e485bde07cceffb272c78ca973e1
AgentTesla
4826f3bfba12160acdbcab98c92e9d7ea5d2b773423553cd7075025579fcdb43
AgentTesla
73f2e9b534cff49f248d0d3469902ac7c3150da888786e5cde16a935ce4ce0c2
AgentTesla
7d6bf00d1b0386114a7021a91332b12c8116a9c2d50272ef2f02f7b92a5289c8
AgentTesla
9a597f3b7ec4bb4a3e54c966b95ca6cb543ca467fbc9397a66713187d77a7b97
AgentTesla
b95c99701d429de9d8f52792d7a2b462ec6e342618a04ef419710b42e76293ff
AgentTesla
d11f4bc7f7b0a9b6d5d1cf605db3fe582b1be5f7324e03e6bf8f72b8a1741c3f
AgentTesla
e89219f47b9a6c36c1312fa377b30c1bc356e0eb380e4442e4bee9853dc20e93
AgentTesla
ed4cbfd724dfcd5029fea047bbe12287fb7c277e5d89e0c828e6e69f209adfa8
AgentTesla
eec75b1c545e3770daa6c181b8f0f2a8911df335d239282e894c68178aec7268
AgentTesla
+ 6'023 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210622-x49ch1rwjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d7b094a4f2d14bcfc0fd0739b0c4ab01fff297f52331c9aae8e5461f3125301f
MD5 hash:
3c4143a5751732c40619b9f661b8df63
SHA1 hash:
fa13a7ef88fa09c9fe86fc18fba703ddda12fb0a
Link:
https://www.unpac.me/results/d7aadfa6-df2e-40a0-8435-1f0fc59e5e54/
SH256 hash:
fb8549eceec8b762ba9cdd6415cc003a77297d00f1c2189b9d0b3be7181aab96
MD5 hash:
870193fe29626678f2c424439631454e
SHA1 hash:
ce7da6c463774ff9f98c162599c9ece4e0c8e842
Link:
https://www.unpac.me/results/d7aadfa6-df2e-40a0-8435-1f0fc59e5e54/
SH256 hash:
130cebc3c66c019a26c7a7dbefbe2635e0581e9dd42c19db33db87d72c81e2ba
MD5 hash:
41b3cb61199dc8315acfc5488848095b
SHA1 hash:
f1bb929405a2d6d0f99af541284e05ff69ac723c
Link:
https://www.unpac.me/results/d7aadfa6-df2e-40a0-8435-1f0fc59e5e54/
SH256 hash:
17ecd0fe2c42c7cd07ffae7347ea8739306df44c1c96dff0a5debabd6ba8f7ca
MD5 hash:
4e093a671799ddd0aa2805620da12354
SHA1 hash:
cb0fd92569995a32ee205cd2804b93d9752c0d4b
Link:
https://www.unpac.me/results/d7aadfa6-df2e-40a0-8435-1f0fc59e5e54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17ecd0fe2c42c7cd07ffae7347ea8739306df44c1c96dff0a5debabd6ba8f7ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 17ecd0fe2c42c7cd07ffae7347ea8739306df44c1c96dff0a5debabd6ba8f7ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167584/

Comments