MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e571f47905c6b8a5fddfbae4abb19eb0c765431895868f9bac202c30ff42b32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e571f47905c6b8a5fddfbae4abb19eb0c765431895868f9bac202c30ff42b32
SHA3-384 hash: b567029082f017dee010cf1024cf5bfc82a2c7096067bf2c70cf774546cea75dc9a9b57292bb5e14137e3e8fec81d93c
SHA1 hash: 0278204b6b461a8f11a681891522a64bd11ae522
MD5 hash: fe06eebf1c5b8b1082cfef2b6f0490f6
humanhash: eighteen-steak-hotel-hawaii
File name:PROPERTY FOR SALE CYPRUS 300,000 EUROS.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:844'800 bytes
First seen:2020-12-26 19:00:28 UTC
Last seen:2020-12-26 20:31:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vB9ADt2U274HdA0a0oQnTEmcqRwdzmMxq3Ip1Zt9tYacKTLAaOXGnwoooooooo+x:H2t2f71q5S/dpftXjLAaOXGnP
Threatray 1'994 similar samples on MalwareBazaar
TLSH 7505D0602F851F1AE47E973D52B5405493F8E103EB2BE969BEEA1085DE70FC49A31707
Reporter abuse_ch
Tags:AgentTesla scr


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server0.gbfasthost.co.uk
Sending IP: 193.39.253.100
From: Realtorlansbreysales <sales1@reinvest.com.cy>
Subject: Property Details In Cyprus, Check pictures and Prices
Attachment: PROPERTY FOR SALE CYPRUS 300,000 EUROS.gz (contains "PROPERTY FOR SALE CYPRUS 300,000 EUROS.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PROPERTY FOR SALE CYPRUS 300,000 EUROS.scr
Verdict:
Malicious activity
Analysis date:
2020-12-26 19:01:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e072b5ae-cbe3-4274-9482-a45ae1330d30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109518/
Detection(s):
SecuriteInfo.com.Generic.mg.fe06eebf1c5b8b10.8277.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570248
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e571f47905c6b8a5fddfbae4abb19eb0c765431895868f9bac202c30ff42b32/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2020-12-26 15:09:22 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzlr6r4qlrvyux657oxevoyz5mghmvbrrfmgr6n2yibmgd7ufmza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2bed744d28b0e98b998ee08a830c52655037ca72f311159c7125ad123369f006
AgentTesla
3a5b1c9c7e10e40551f26dafe302f056f86ce6c6c138a96b0b79389a095b7fca
AgentTesla
51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb
AgentTesla
b383a9462220caadad44787b626a17e201471a2ca3283e9cfa1cbdcbc974f501
AgentTesla
b720bb099278eb3112fab7c425fcc3f967b9b4e62ecdd114004d524831300d2e
AgentTesla
ba3d19fdb5b0ad759b64b9871bc02d6bbd3cd8e01ce21d489f3fff9f2fab7ea9
AgentTesla
cb6657e643921d36fb24eed7ae829888e685ac883e1798ae016f9c39dad99490
AgentTesla
fc60c2d2f89eed099d1b41eb4ed7912549f3e00b8fdd7d7de1ef86e67e619550
AgentTesla
+ 1'984 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201226-pgqpsfh292/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3bf3c3c9010b781e572a93d24646edc5975433cc4d9845ac1796db33c7edb914
MD5 hash:
072851915a82e1e323daf29d39ea8f07
SHA1 hash:
14058d7b52ee5310d78943682e1f700174521c2f
Link:
https://www.unpac.me/results/38157809-b4b5-4e8c-b3f1-8a02dd7b794e/
SH256 hash:
08d733ccda26bc892dbbc2e17cdfde794eb15e533515f7777d4bcc96cbdb8d8d
MD5 hash:
c0007a9e3ed8d8b7a1d86b45101805c6
SHA1 hash:
1e1e72aefaebf806ed44e73d0f1f71150a1392cc
Link:
https://www.unpac.me/results/38157809-b4b5-4e8c-b3f1-8a02dd7b794e/
SH256 hash:
3109c967c56823c5806dcef824bb779226a283664e770841bb904bdacfb39639
MD5 hash:
43167449e7515fdbc3ea311a90aeea55
SHA1 hash:
54094d9e0a3b802b4b2659340b4bb588441a147d
Link:
https://www.unpac.me/results/38157809-b4b5-4e8c-b3f1-8a02dd7b794e/
SH256 hash:
8f9ebad24882260ec8d4398b02312d7a48d7b97880f7c30b7b290f634c397096
MD5 hash:
de2f1b66fac50a6032509a81e4a5d308
SHA1 hash:
7b04b8a1e7bc3e86272c3d1155d961badd69cbd8
Link:
https://www.unpac.me/results/38157809-b4b5-4e8c-b3f1-8a02dd7b794e/
SH256 hash:
1e571f47905c6b8a5fddfbae4abb19eb0c765431895868f9bac202c30ff42b32
MD5 hash:
fe06eebf1c5b8b1082cfef2b6f0490f6
SHA1 hash:
0278204b6b461a8f11a681891522a64bd11ae522
Link:
https://www.unpac.me/results/38157809-b4b5-4e8c-b3f1-8a02dd7b794e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e571f47905c6b8a5fddfbae4abb19eb0c765431895868f9bac202c30ff42b32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2699649648ab67ed5aa9ba4899ea64c5ab5c42a498f7500c43639b1ebc25ef6c

AgentTesla

Executable exe 1e571f47905c6b8a5fddfbae4abb19eb0c765431895868f9bac202c30ff42b32

(this sample)

  
Dropped by
MD5 ac1f4f819ad099a7c26f7298a77e1259
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/109518/
  
Dropped by
SHA256 2699649648ab67ed5aa9ba4899ea64c5ab5c42a498f7500c43639b1ebc25ef6c

Comments