MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57
SHA3-384 hash: db8b1cb6b2b304c3fc30ea0c641df10a484f9e2e0e51fc17f910b223c897611fd6e31ea5152f7625a921d3eb72f19f1c
SHA1 hash: bf8aed9228f88f7ddfb2722305c9cc099d488ad6
MD5 hash: 6bbf880c0fc2abd697d148b7802a449e
humanhash: carbon-xray-timing-potato
File name:AWB 9899691012 TRACKING INFO_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:724'395 bytes
First seen:2021-01-26 14:17:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 12288:cALR/W2+xUbI/IoXuwB4k6iRryy6qZ/lYNokOby33ZK1zi1J6s+Wady/KbMfB5uY:cAR/QxF/fXp1R7Plqok73YNirRHadVbY
Threatray 2'440 similar samples on MalwareBazaar
TLSH 6CF423A57250C173E2061B3D6EB8239F63F0921B157C61CB7B989B27F6917D2642F232
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB 9899691012 TRACKING INFO_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-26 15:17:26 UTC
Tags:
autoit rat agenttesla
Link:
https://app.any.run/tasks/2d7f0cb7-e22d-44e8-85b0-db5f4f33eeb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113916/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a window
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/590766
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 04:05:39 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3fvn6xjjwyxgmxcm75c26daqowiemutq34eaukso2gnemnebjlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1bda01f0ea187a42b179d780e45f45e229caecdca515402f781df52bc8ca3420
AgentTesla
306e5b34b75ce392b55691abcda73d75d7f8717e286cadc36c5582c7ebde621b
AgentTesla
5c29a539dce239a74350459e71421bec8f0e925b218aeb8aed8e3067d2ae7f32
AgentTesla
9c7002e97c59c4c190abb09e373a5f1010b4790dbcb714e792538e73820d5609
AgentTesla
d8342bc5be6d94ead3b75ef8f1ecfcf93ca0c001c77c7832edd6c79169f2cf88
AgentTesla
e10c50ccf291423e5b5205ceb99349f63dcdface40517c70bf7486f119ec1ee4
AgentTesla
e640dcc83b88144d234670a8ce722aada3b3472ad0892e884c9d8b6cf460af1d
AgentTesla
e9bd86ab3129da3447a70bac66feb2f90f7829e5b4595cff15a31a45b1cf82f7
AgentTesla
ecf592d2aed1d17b4c75e72a40edeb9b4396c8c9181cee7519ebe63bb7391870
AgentTesla
f104dda9f5fb6e0f5659843ce1698c2da434fe2cd9e986a4cd410c0473ca6cf6
AgentTesla
+ 2'430 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210126-yjldhzdxls/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
8cf5cf0efb072fac79a80001ad1fcaefc548ff159b57534e9f0331c8b1cdb3e2
MD5 hash:
5da5ad17cc53039f55fe216f897ef97f
SHA1 hash:
f563f00d68660dc1b5bcb62987c646be46c06c07
Link:
https://www.unpac.me/results/f96cf9e8-0a29-4758-9e8e-a507bba2ec5b/
SH256 hash:
ae0cd0ddad2fca8ecae663e6e8628e1e4554d6e69edfacf90856f2a4e23e2e9e
MD5 hash:
e0c570ee4640a235ff6df97122c747d8
SHA1 hash:
8e56e2ba79038d8780453156621641f61ff93bd2
Link:
https://www.unpac.me/results/f96cf9e8-0a29-4758-9e8e-a507bba2ec5b/
SH256 hash:
e9b84af8b2715aa8e82b5aa6cdc064b4658db4283de8e8e897e0f2498f3a2878
MD5 hash:
e22a9c5e1a6f7c03600ec350850a3b51
SHA1 hash:
1cc0197ddcd6463098a2879975d92a1a9e5b3942
Link:
https://www.unpac.me/results/f96cf9e8-0a29-4758-9e8e-a507bba2ec5b/
SH256 hash:
1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57
MD5 hash:
6bbf880c0fc2abd697d148b7802a449e
SHA1 hash:
bf8aed9228f88f7ddfb2722305c9cc099d488ad6
Link:
https://www.unpac.me/results/f96cf9e8-0a29-4758-9e8e-a507bba2ec5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/113916/

Comments