MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18358c2ed48dc177f6d9514482bad1ce063d5e403a20f1a1306436abd268c114. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18358c2ed48dc177f6d9514482bad1ce063d5e403a20f1a1306436abd268c114
SHA3-384 hash: 165622d31bbf3c69e2fd92fefd7b53bcb6c5ed3ce86e04a5d26caf027ebd858710e1a8acf4ba5f3c7140c17d9f5a0918
SHA1 hash: ec7912578aebe9a47c25b34ce1a5fa51ae8f1086
MD5 hash: 5bcba8db5c90fa4fe2487378c18e8749
humanhash: hydrogen-butter-kansas-oranges
File name:5bcba8db5c90fa4fe2487378c18e8749.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:937'984 bytes
First seen:2022-02-09 16:13:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:kvESA5JPXkDy/vlAE8K6MpZD+Zkeea9nGG:DPky/vlAE36IMZPnGG
Threatray 15'528 similar samples on MalwareBazaar
TLSH T1C415CE2B487F123AC1BCDBB15984CE2FB992CD663533991D198236D919367F231D222F
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
zytrox.cf:25

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239711/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.25375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6203e85c8673df1bb438ee4c/reports/9aead755-4182-4c2f-8c48-2121694d7308/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edf32f68-5e03-4dfb-a48e-c65fc6f2ac39
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937089
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18358c2ed48dc177f6d9514482bad1ce063d5e403a20f1a1306436abd268c114/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 16:14:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=da2yylwurxaxp5wzkfcifowrzydd2xsahiqpdijqmq3kxutiyeka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
43f6ad854267974db380b33b4f8b809b57acd28d9fd4448841decd63686e1f74
AgentTesla
4bbb3743225efc4821fed4984d9d41c3fbae8e405bd800b96016e2665bf30c9a
AgentTesla
5a82ef3afe4758cb4846122d6edc9cf726b6a520fbaff9452a32cce542c67dbe
AgentTesla
6be78f9927e05b2e51d5815ed538ad7bf3e3770c1bbb63f4b5daad4ce75e14dc
AgentTesla
a5b4a1aa53134e93a392b7b90cc7c5d4a939d4f61bdf330de08d49fa1b4356ed
AgentTesla
cb561adaa259b8c5d98818edf0a1ae6979b8ecadded2f47687772e7933c9ce37
AgentTesla
db6089455e43b93f9ec1813728e5888f67a6eb9be64aea79775f315520b4cc26
AgentTesla
efc33e49a1f2bb8a2caf20a3609c44170c3739c90c1e2f4f236961e13279a3b3
AgentTesla
+ 15'518 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220209-tpm98sahc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
be0e0a9a71693b84d56dbfe2d3ab62c8729dec1f23fa7da9439fa3fc42a2526b
MD5 hash:
8d7e4d142665a7d82fd99fa3bb4143c6
SHA1 hash:
8d534788dd85a1d93c70b8f708211edc2cc2bce3
Link:
https://www.unpac.me/results/bb4d385c-1e5e-426c-b860-5630d6545399/
SH256 hash:
c6af8af58a4eba4dbb271eaf092eb6f11bdd62df031c6760c3a27b59251395fc
MD5 hash:
04cf7971d83c88da72f1339087b70eea
SHA1 hash:
7bec63fe2fb133ef54d4c09f845c5fa5b318ce88
Link:
https://www.unpac.me/results/bb4d385c-1e5e-426c-b860-5630d6545399/
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/bb4d385c-1e5e-426c-b860-5630d6545399/
SH256 hash:
18358c2ed48dc177f6d9514482bad1ce063d5e403a20f1a1306436abd268c114
MD5 hash:
5bcba8db5c90fa4fe2487378c18e8749
SHA1 hash:
ec7912578aebe9a47c25b34ce1a5fa51ae8f1086
Link:
https://www.unpac.me/results/bb4d385c-1e5e-426c-b860-5630d6545399/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 18358c2ed48dc177f6d9514482bad1ce063d5e403a20f1a1306436abd268c114

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1996308/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/239711/

Comments