MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e7a5ec7a9f4597d283332e8358a0b0250ab413caed5dd220298b875aa999d5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e7a5ec7a9f4597d283332e8358a0b0250ab413caed5dd220298b875aa999d5e
SHA3-384 hash: c902455c847b8df01de779a5e870e3c51c8b74d1f35097ac7a0d6aec824d03c8bb30d5771b4322c50d2113d0ab474f7f
SHA1 hash: 36c04dff9fe8ef659ab7430355817f1853863a21
MD5 hash: f1694c8b8de886aa19fd041898015faf
humanhash: mars-lemon-alanine-oregon
File name:TT COPY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:349'696 bytes
First seen:2020-11-19 01:09:47 UTC
Last seen:2020-11-19 01:40:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:i2w7GXkYhWlazjhp5BQ6qwbGTxw1NWmzr2ReL3LIUJ5/EAmg+O8:dwaHhXCwGSFuOLEAmDT
Threatray 17 similar samples on MalwareBazaar
TLSH 69748DF0A12A8894E56F0376A8A97E5103727E8BDDCA5C0C226D75532BF3353BD4684F
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.27704.2390.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/542008
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e7a5ec7a9f4597d283332e8358a0b0250ab413caed5dd220298b875aa999d5e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 08:54:11 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dz5f5r5j6rmx2kbtgludlcqlajikwqj4v3k52iqctc4hlkuztvpa._file
Verdict:
unknown
Similar samples:
238b35ec58e7e0da2a84223bbac72df3ad69bbb4b1fe473a6095fccddcebf7fc
AgentTesla
2f1f66a7d7f0058db7f854e5ed21829fcbc075a6a94590b16a1509267a477511
AgentTesla
4a2311968fb73e55620ce972659fc74159f8127ebccb826d3150bc6d19c0f793
AgentTesla
53bcd055cbd5e6095af4dd15128a0a065d1ecd09e2f5882a240fc243ac04a2fe
AgentTesla
56e83e366b260c60ffdb115230e5cf4f0106e2d6c9278d83bf82674b811b3573
AgentTesla
7cdc50bb11050e621535e8f02ce97838225962cd88318322bddaa73db26bd3b8
AgentTesla
8e46babf39c3c93defecf2d1956b1911a95ab4f30f7afd30a239789e1113fb92
AgentTesla
acd2d368c51ecef353154266a25f69f42d067b0c329ab3f503eb3e73c6c59665
AgentTesla
c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75
AgentTesla
c81e3c2e59312601327df032e64abe6715c8a5097ab57807859e867688d3a273
AgentTesla
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201119-qle69knqve/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
69098f58d0a107de6bae67364e744cfdccfcd572b4bd36532ec0f6bb5fdc39f5
MD5 hash:
f839e9b8e1e09381241e6529473b8d1d
SHA1 hash:
b70e312c90de10b2182cec8140171a175367d42e
Link:
https://www.unpac.me/results/ea9c721b-3420-4583-8264-82e06bfaa7a7/
SH256 hash:
d9aba0c0fad98120d9089a9114dfcadcacc6882652156c106362ef95443bc16d
MD5 hash:
f9213fe12bca39edd1da00ce2cb4d7e0
SHA1 hash:
c03929d243b455b052c3af4ae63998f67a337ac1
Link:
https://www.unpac.me/results/ea9c721b-3420-4583-8264-82e06bfaa7a7/
SH256 hash:
1e7a5ec7a9f4597d283332e8358a0b0250ab413caed5dd220298b875aa999d5e
MD5 hash:
f1694c8b8de886aa19fd041898015faf
SHA1 hash:
36c04dff9fe8ef659ab7430355817f1853863a21
Link:
https://www.unpac.me/results/ea9c721b-3420-4583-8264-82e06bfaa7a7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

592f036130998bc7caf844ddebbf69c3bc05c311e18ec76f4777b2ca21e304fc

AgentTesla

Executable exe 1e7a5ec7a9f4597d283332e8358a0b0250ab413caed5dd220298b875aa999d5e

(this sample)

  
Dropped by
MD5 4b9d9722fe863a6bdb3748cac8fc3295
  
Dropped by
SHA256 592f036130998bc7caf844ddebbf69c3bc05c311e18ec76f4777b2ca21e304fc
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment

Comments