MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e2ee43e269f7144725650607d8055ecc9dce77dde8fd13fc25fb4c85c0055b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 10 File information Comments

SHA256 hash:	1e2ee43e269f7144725650607d8055ecc9dce77dde8fd13fc25fb4c85c0055b0
SHA3-384 hash:	f3f01d526fb517bc8f1af5b46325c4f1b83e83840bbd8a6f8adbaaea652aebc79ed89f881c462fca89981fe8e92be84a
SHA1 hash:	e8e75df0aa1c52eb0e2eda094dd1911b0884fa1a
MD5 hash:	ab377e46223bfbc4461392099be2a00d
humanhash:	iowa-friend-december-hamper
File name:	SWIFT EUR 16.760,38 20230914104546.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	345'714 bytes
First seen:	2023-10-24 05:34:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep	6144:JYa6LycQi78ruJ60vPGnvb4QV1aRxG0uSaIPvAhA0vPiuWeH8gER+p:JYBycfUuJ7nGn7aX1NMA0vaAHey
Threatray	113 similar samples on MalwareBazaar
TLSH	T12E74232C16A1C183CC6602306CBA5A36AFF6FC376CA4971F57917F067A31751998F3A2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SWIFT EUR 16.760,38 20230914104546.exe

Verdict:

Malicious activity

Analysis date:

2023-10-24 05:56:54 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/805ec511-3f62-4aae-92b0-67d33eb3f187

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/455856/

Detection(s):

Sanesecurity.Malware.28947.BadP.UNOFFICIAL

Win.Trojan.Jaik-10008218-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control formbook installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6537578c559595e2910a66ec/reports/5f5b0b8a-e4bc-4391-b26b-5ffbae67df66/overview

Verdict:

Malicious

Labled as:

Trojan.Strab

Link:

https://www.hybrid-analysis.com/sample/1e2ee43e269f7144725650607d8055ecc9dce77dde8fd13fc25fb4c85c0055b0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5053787e-9058-4b47-9b25-19289c7f6d2b

Result

Threat name:

AgentTesla, NSISDropper

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1331024

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1e2ee43e269f7144725650607d8055ecc9dce77dde8fd13fc25fb4c85c0055b0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1e2ee43e269f7144725650607d8055ecc9dce77dde8fd13fc25fb4c85c0055b0/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-09-14 11:26:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dyxoiprgt5yui4swkbqh3acv5te5zz3532h5cp6cl62mqxaakwya._file

Verdict:

malicious

AgentTesla

0972105c3cb2d74e7cb3f00ddcc6cc96089524d5625b62f71e27d5857c6eba40

AgentTesla

2b2ed2623c8b0e1867fe816928be401f482453d8e6e7922660fa4fe9695127c0

AgentTesla

436f74f3d2537685ed53a9a83ae70cc1a98e987d90ba949ca879a854e2970ed9

AgentTesla

493e3d54159cd3ebde6aa0b5216ddcb14863b4b064bb80c654353838926d191d

AgentTesla

4c47c20fb3e45ebc53361f59b23f49ae5cf6354606de41d2f005d5381d85a209

AgentTesla

e579952e0a6c558c001274aa13e6ac8297a3991497f0163917e6db3a37430f83

AgentTesla

fb5a97acf9b392addd2c222672ee4d97b6d1a39e6877734db1cb012f6a356793

AgentTesla

+ 103 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231024-f91t6scf86/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

f1e1c505249a2df3639acdb8a4727c1d03b05844f25a1a7f7b4cc60eedc659ea

MD5 hash:

0a639c97a172a3d3aa3542b9ef450d3c

SHA1 hash:

c548dc338918957ae999c35f6b1b0f54293fd91e

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/b614e313-b207-4c6e-8c37-15c63930d1a4/

SH256 hash:

602d9bdd61f007ef5d770fbd8917ef3f5efe9bb5eb97017b87024031ade72f02

MD5 hash:

665ce7efbc87a504c5cfb492ab0e9012

SHA1 hash:

9f4af5b748c3e3233e050c801c73bbab66924e3a

Link:

https://www.unpac.me/results/b614e313-b207-4c6e-8c37-15c63930d1a4/

SH256 hash:

d8254914278955cb56e514e8ea14af0ddc2b3a133356bae477ef6b8340d0b1bf

MD5 hash:

fc9f4e3df1350ebed93f23b12f8f5204

SHA1 hash:

28167cc22ee30d7c0ee8e9cede420428259bdebb

Link:

https://www.unpac.me/results/b614e313-b207-4c6e-8c37-15c63930d1a4/

SH256 hash:

1e2ee43e269f7144725650607d8055ecc9dce77dde8fd13fc25fb4c85c0055b0

MD5 hash:

ab377e46223bfbc4461392099be2a00d

SHA1 hash:

e8e75df0aa1c52eb0e2eda094dd1911b0884fa1a

Link:

https://www.unpac.me/results/b614e313-b207-4c6e-8c37-15c63930d1a4/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1e2ee43e269f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e2ee43e269f7144725650607d8055ecc9dce77dde8fd13fc25fb4c85c0055b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/455856/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample