MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e57ec3b629e18155d01329fd7ca2947f30f7a9dbb6a60e3f5de2f0d8934ed92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e57ec3b629e18155d01329fd7ca2947f30f7a9dbb6a60e3f5de2f0d8934ed92
SHA3-384 hash: 60617f5eac06f215639f6980afe5d455ca272a9c3ebd387b952ea19825fc97c9c6696c89557193ba1db079353f7e8adc
SHA1 hash: 37f36659f007ede04e7195feb3451e5e9693e10e
MD5 hash: ef3d6cb7183eda95c2bc3564af38215e
humanhash: kansas-mango-floor-snake
File name:ef3d6cb7183eda95c2bc3564af38215e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'120'768 bytes
First seen:2021-07-20 12:31:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:8zprQz/MpI2HwV8Ak7TuIiyvUIZbV8PwPSIVwOWFsf1MrX3B4BVtNzbiDCRpoT5:yxAqTJvDB8PwPSIsq1MDB4xNzbi2PoN
Threatray 7'081 similar samples on MalwareBazaar
TLSH T15D357B14236B5F98FC7EA7762438000057F5F80BD32ADA0DBDE610DD1A52F968AB2B57
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ.doc
Verdict:
Malicious activity
Analysis date:
2021-07-20 09:15:29 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/cc6b1e9c-02ee-40f3-9ecb-1e450021a731

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172806/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7564ff5-e752-4466-9446-74835af9e1b2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/818916
Signature
Found malware configuration
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e57ec3b629e18155d01329fd7ca2947f30f7a9dbb6a60e3f5de2f0d8934ed92/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 15:29:53 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzl6yo3ctymbkxibgkp5psrji7zq66u5xnvgby7v3yxq3cju5wja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
269f4d17d4d613d6d23c3e96da17ee29cd8b10d95bbceb89fa433060a53e4620
AgentTesla
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
AgentTesla
4f1f2de3fd4bd8f68c2497e83a4fe2c163735b0613eedf1bb111870e4237b136
AgentTesla
51eb7e5e2034ecc3743a2bdf49627342f0cdcaf82384dc09812228618643c51c
AgentTesla
76346f54715f74b9d2e8b679d8d68b13dc3a6b2e032e9c9ca327d7d285d55c39
AgentTesla
c2ddf339221a70ef5a3aca2ee22faad4884b2281ac5e9add22eb9829784986d9
AgentTesla
d0638a8dd7cdd32f69d17312f76a526f025c29511dd2fd9ba7bddc51867bc912
AgentTesla
eb49079f48b94e03346f8e7e2e6d90853fcadf1547ef19ae62c2d0ab9dc23460
AgentTesla
+ 7'071 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210720-hqdalbjwce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0a1f1e793d2ea53ab3e962c34a643b3131f8775d0238fe4dc1bbb880516ce1a1
MD5 hash:
8755d400c5d81fdab2d2e29348fb02f5
SHA1 hash:
b4a26f5e8284d14096ca941870bc454d35081f4e
Link:
https://www.unpac.me/results/08c52d01-313b-49ca-8894-caa0953f8688/
SH256 hash:
6b73397fbdf0b8f3f8a528bded21b9425eeff5c7c942994de3c8098ba681f57a
MD5 hash:
55202a5a672c77a0de9d0c0cfb427a3e
SHA1 hash:
79b45773850f12c03d82e54e58f31877b214ba98
Link:
https://www.unpac.me/results/08c52d01-313b-49ca-8894-caa0953f8688/
SH256 hash:
2ab214b4fccc79f91b42fe22df5ad0c8313f3b3cef4aeeaa020b6c34380b7b6d
MD5 hash:
ce0404786c36f34158415d5c8bcd1e75
SHA1 hash:
55b81b3b0629a8229f2cd332c8205997a47750e3
Link:
https://www.unpac.me/results/08c52d01-313b-49ca-8894-caa0953f8688/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/08c52d01-313b-49ca-8894-caa0953f8688/
SH256 hash:
1e57ec3b629e18155d01329fd7ca2947f30f7a9dbb6a60e3f5de2f0d8934ed92
MD5 hash:
ef3d6cb7183eda95c2bc3564af38215e
SHA1 hash:
37f36659f007ede04e7195feb3451e5e9693e10e
Link:
https://www.unpac.me/results/08c52d01-313b-49ca-8894-caa0953f8688/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e57ec3b629e18155d01329fd7ca2947f30f7a9dbb6a60e3f5de2f0d8934ed92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1e57ec3b629e18155d01329fd7ca2947f30f7a9dbb6a60e3f5de2f0d8934ed92

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1453931/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172806/

Comments