MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e75ba58f56b634078e2b4e85d12815221518230bed0b7978afcc728b1e209e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e75ba58f56b634078e2b4e85d12815221518230bed0b7978afcc728b1e209e1
SHA3-384 hash: c39500acfcecf5d2407ddbb4c998dbe337b168408b34ca1c11983f774d406d9999155ab105f5f5e700caa76879602183
SHA1 hash: 76eedb61b2662bc1d6aa5d3c06fbc563827aadbf
MD5 hash: a626bf8ef5de8f5e07bf87be6256069e
humanhash: don-harry-mirror-carpet
File name:PO-21722.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:893'952 bytes
First seen:2022-02-17 07:29:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:FbrlIDipxVPOBF3Y0bZ1WZADsXshURjYf8lV7B5:FXlImpxVPOT3pbZMWQcAQ8T/
Threatray 14'807 similar samples on MalwareBazaar
TLSH T1B815BF5631FF1056C7A6EBF10BD8ACBF866EF173120F763931852B468766A40CA42376
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242177/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.57439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive fareit greyware obfuscated packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/620df991a2660f3bb9ee522a/reports/683bfad8-787c-401d-a462-c29dd43974b2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941434
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e75ba58f56b634078e2b4e85d12815221518230bed0b7978afcc728b1e209e1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 05:05:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
48
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dz23uwhvnnrua6hcwtuf2eubkiqvdarqx3ilpf4k7tdsrmpcbhqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
172f87bb27c59a83f26061358df1a3407cc46d8ebd5a65dc2a8e24c4f3765f71
AgentTesla
31a3c2f298b8b235303ecdcbe989f24ddda02a2da072c78cb0c6d0f8e9cd282a
AgentTesla
5daa6d0812c1fb4e5e8d60c8d7138a4397c0a22f3758ca26fd53fd7b33b4d6ce
AgentTesla
8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29
AgentTesla
9b7cd17432d810b59426747d9f1402df08dd8d80cfab512751c81200425f3735
AgentTesla
c57dfaaa1c64fbf06960185a807b04b04d3cf281dd32a2d0dc4bd8169584a50b
AgentTesla
f1f9a09a55fb15d3815a84ab374464b9fe698e28b7fae363d4487c9e4136f3c9
AgentTesla
f297f0a8651e14cf884331bc4ae10c238a6c79385741e507dc7df7c88b85beb8
AgentTesla
f779ac7255de70de168e1e493c82eba2dd5b459826d2840591b09b32593f1dca
AgentTesla
+ 14'797 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220217-jbvgaaafb2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/a386092a-eae3-40a4-8a66-55060045fb0a/
SH256 hash:
d1df25c9c70853b1acfde72b60a7dabbbb310e5bd8b6d6af4c99557ac7afb0fd
MD5 hash:
59afb12434db24b83304fcb94b5565f7
SHA1 hash:
6f85498a399e9f9bc2445a476f9544cd862d95d5
Link:
https://www.unpac.me/results/a386092a-eae3-40a4-8a66-55060045fb0a/
SH256 hash:
1e75ba58f56b634078e2b4e85d12815221518230bed0b7978afcc728b1e209e1
MD5 hash:
a626bf8ef5de8f5e07bf87be6256069e
SHA1 hash:
76eedb61b2662bc1d6aa5d3c06fbc563827aadbf
Link:
https://www.unpac.me/results/a386092a-eae3-40a4-8a66-55060045fb0a/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1e75ba58f56b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e75ba58f56b634078e2b4e85d12815221518230bed0b7978afcc728b1e209e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1e75ba58f56b634078e2b4e85d12815221518230bed0b7978afcc728b1e209e1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/242177/

Comments