MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19ea70b85d1e0c5c9c9ebb1f2412ee14b363da45f5ba68f7f8ea217fe6dcb975. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19ea70b85d1e0c5c9c9ebb1f2412ee14b363da45f5ba68f7f8ea217fe6dcb975
SHA3-384 hash: 67e28c09166f55d66e0ac2848cdd673d3500b637ab064facec06abf59d183a250803ff2cf8c2dd1cccacd955c2939d58
SHA1 hash: 94047f5eceea355cde7b817881fad487c68a62f8
MD5 hash: 0745767293956ba51033b66ef17416c7
humanhash: cola-jig-november-robert
File name:BL-018907-DKAEQU7EMEZSG1O-0972-PDF.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:596'480 bytes
First seen:2022-02-03 07:58:30 UTC
Last seen:2022-02-09 10:19:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:iF7p3BQJFhwBnccBMYZ/SrH+kTIfZF8T/oOQevY7QLrJ:uQJFC0YZ6D+RFxOFY76J
Threatray 14'775 similar samples on MalwareBazaar
TLSH T1B6C4F1B1F69A9581E52B9A3222757C41023A3EE39EC5DB191328F2480FF77504F66B4F
File icon (PE):PE icon
dhash icon 96d4acda6cb4dc0c (25 x AgentTesla, 12 x Formbook, 10 x Loki)
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/231722/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/381e0812-94f6-41ea-b75b-6807002f02ab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933702
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19ea70b85d1e0c5c9c9ebb1f2412ee14b363da45f5ba68f7f8ea217fe6dcb975/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 02:40:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhvhboc5dygfzhe6xmpsiexocszwhwsf6w5gr57y5iqx7zw4xf2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1a6622548b70077312df3ffee6ffe24bcf6536f8ecf8c04bc05e54b69ba5509c
AgentTesla
1f2c5bbf4e24b8a53941763b570843d3ac01a6add3d86b94300f476c98238f32
AgentTesla
2a411486f86d7a28869c33afc7efec53f718b0613f91b6a28a6d3343aeba8e63
AgentTesla
3687b0bfbf59a946e26f68c6eecd9f4cea7727bdfbaa7c28a39ff2d1b67095ba
AgentTesla
6c74ca9ce17decdf3ec659c61aae4b2835b4a829fb2a285d5b36e38b8f86a0b4
AgentTesla
fbd1cc6a4525f2f98fc3cb5f10e0c070a3532deb96e3765afb9a777b12efc305
AgentTesla
+ 14'765 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220203-jvf31aeddj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Sets service image path in registry
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/aa9799d8-5d7f-4e90-8505-c299b6003450/
SH256 hash:
f4356df80132cebe41d6212830381fc6bac79d75a1d82de1fd1fbf6d45cced13
MD5 hash:
18721744d842792d479487f4e04d43d8
SHA1 hash:
6fee1ff98a8b9d82603defe341463036973bf498
Link:
https://www.unpac.me/results/aa9799d8-5d7f-4e90-8505-c299b6003450/
SH256 hash:
7b75c3b615c62a7425a3b1cf1165b752dacf2a37713a54b7dbd650469f10b436
MD5 hash:
ee39509e577a1bfb9003a13674999df8
SHA1 hash:
6dc59a71054b4b8ebcdeea2705a83c5ed960ed16
Link:
https://www.unpac.me/results/aa9799d8-5d7f-4e90-8505-c299b6003450/
SH256 hash:
19ea70b85d1e0c5c9c9ebb1f2412ee14b363da45f5ba68f7f8ea217fe6dcb975
MD5 hash:
0745767293956ba51033b66ef17416c7
SHA1 hash:
94047f5eceea355cde7b817881fad487c68a62f8
Link:
https://www.unpac.me/results/aa9799d8-5d7f-4e90-8505-c299b6003450/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/19ea70b85d1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19ea70b85d1e0c5c9c9ebb1f2412ee14b363da45f5ba68f7f8ea217fe6dcb975

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 1469a1d40499aa89afbd02aaf30d0801d324e6a33b42fd082ece97b3dcb4fc27

AgentTesla

Executable exe 19ea70b85d1e0c5c9c9ebb1f2412ee14b363da45f5ba68f7f8ea217fe6dcb975

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1469a1d40499aa89afbd02aaf30d0801d324e6a33b42fd082ece97b3dcb4fc27
Cape
Cape
https://www.capesandbox.com/analysis/231722/

Comments