MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e8646f1da7fd0634760173577cee299049a1f5d67efb87ce51d9af44d90de90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e8646f1da7fd0634760173577cee299049a1f5d67efb87ce51d9af44d90de90
SHA3-384 hash: 6f5a8e6e96fa158b02a980b97aae51e14278fb39114273523fe27ea6642f0c539446e7c2d91b91e58ba6564407fd1bde
SHA1 hash: 3b66859e45c69e14f024a58db3d6ec845044e51b
MD5 hash: c4acba7481b3737d056ec5ce890151ab
humanhash: echo-sink-mockingbird-angel
File name:c4acba7481b3737d056ec5ce890151ab.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'216'000 bytes
First seen:2021-07-12 14:58:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:nltbgoXVj7yPRm4M4WkRaQ2/ucg0n5f9l6PIYpbjb6:nvbgohmo3z6ahtD5FcxbH
Threatray 6'603 similar samples on MalwareBazaar
TLSH T1A045AE2923FD9109F23BFF719FA0F3458FA6BA769229D14D68C4030A5871D81EE76532
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.jtinti.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCUMENT.doc
Verdict:
Malicious activity
Analysis date:
2021-07-12 12:21:23 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/edf7770f-b370-4906-a1dd-02ad3a78d8cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171150/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.925.8703.294.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ef76c62-9eb2-4abc-9248-b993cc485e50
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/814982
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e8646f1da7fd0634760173577cee299049a1f5d67efb87ce51d9af44d90de90/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 14:59:08 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2den4o2p7iggr3ac42xptxctecjuh25m7x3q7hfdwnpitmq32ia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fd24182ae201889c3d558acce14173beed490188ca84a194fed05e0db536b50
AgentTesla
33fab01e9baaafc2a5534494c5b1ffa900d414694b5c499c9a4180959268a602
AgentTesla
47c700a9a4cc5589c3acd273c4536952c5c0db7ad1f94408b4e6097d48fdb581
AgentTesla
4f8ddfeb0d48d3815a6408f908e164ac7538148bab73b7b07885e26049929eae
AgentTesla
9881364f2456dfbf6f142d776af227b74ee59c32d527852ecd59d8f1adb9a454
AgentTesla
a09ad5ee3ef9214717004d7e8c2761a0a2f010e74755f4c99ab4be8d592794cc
AgentTesla
c41601bbc1ad5ed328f42d9b63fa99cc372359e0d7cbf970026646a3e2b924bb
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
d8a1d6d264251e89604f5ce4fad4612b346e2b020f560b3841fb98de82b03340
AgentTesla
f482837bcd21caa30b2f7bf2550fb6d13d61aa7e4e0c66219bd085dd16b9481d
AgentTesla
+ 6'593 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210712-3sqrwxzhj6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0109c7e4289d16b245c983cd60bccf060223c94ffc1c929c64e7c0582bc7250f
MD5 hash:
6bb933df7569d73b0b6967e5216de5cb
SHA1 hash:
fb57b082bddf098fae15cd4e84d1deb8370799a4
Link:
https://www.unpac.me/results/536f8be7-aef4-48d7-b8c7-bc390a0a01ff/
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/536f8be7-aef4-48d7-b8c7-bc390a0a01ff/
SH256 hash:
b1a5eb93e24eed192051cb23ff0f342b278e1f536103a576001f991de2685d13
MD5 hash:
8514eb9e35a4f0b310cecee8e377c239
SHA1 hash:
e874fba7a04626e20bf513be181309b37f946f00
Link:
https://www.unpac.me/results/536f8be7-aef4-48d7-b8c7-bc390a0a01ff/
SH256 hash:
0bd24762e8a36d92d50834cf78903fd218257a8a955607582cc41b9e2ae19012
MD5 hash:
40756986661a2f7f61e2e4a4b03ce03b
SHA1 hash:
4cc1cb1a73e7132c1d1ca37b3a15055718fa35a4
Link:
https://www.unpac.me/results/536f8be7-aef4-48d7-b8c7-bc390a0a01ff/
SH256 hash:
1e8646f1da7fd0634760173577cee299049a1f5d67efb87ce51d9af44d90de90
MD5 hash:
c4acba7481b3737d056ec5ce890151ab
SHA1 hash:
3b66859e45c69e14f024a58db3d6ec845044e51b
Link:
https://www.unpac.me/results/536f8be7-aef4-48d7-b8c7-bc390a0a01ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1e8646f1da7fd0634760173577cee299049a1f5d67efb87ce51d9af44d90de90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1e8646f1da7fd0634760173577cee299049a1f5d67efb87ce51d9af44d90de90

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1447695/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171150/

Comments