MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2282a50d33177e982a0704829cc50539d08a71329ca5afb9132a29b94011a209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2282a50d33177e982a0704829cc50539d08a71329ca5afb9132a29b94011a209
SHA3-384 hash: 8a561ee3f075b94dd5081bd9eabfe5f0a121558064991792c1d5fcec39e18822c06d77f602c5e857a5220673cdf06afc
SHA1 hash: 1c33a8d5d1775777f45793e5e97d408fe055b13f
MD5 hash: e5b5fde8d8579dca685c942019b10ea1
humanhash: skylark-solar-early-georgia
File name:e5b5fde8d8579dca685c942019b10ea1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'101'656 bytes
First seen:2020-12-22 13:18:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:NOJIBXGzqziruRLdm+CiEtOdX2SRX4Plcm93RzUl4CCjG4vsSsbcYHVq3Z+4QqNS:NOJINL
Threatray 1'960 similar samples on MalwareBazaar
TLSH D2A52E02498168CBD7B2D490A38EC2D6B38795DCE7EA6FD4BE10E21531CC467EBB9D41
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e5b5fde8d8579dca685c942019b10ea1.exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 14:01:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fba8e73d-c337-45e9-b1b2-e1d18e14477a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108902/
Detection(s):
SecuriteInfo.com.ArtemisE5B5FDE8D857.18764.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568304
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333222 Sample: 5cHIX9Sf17.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AgentTesla 2->40 42 6 other signatures 2->42 6 5cHIX9Sf17.exe 3 5 2->6         started        10 5cHIX9Sf17.exe 2 2->10         started        12 5cHIX9Sf17.exe 2 2->12         started        14 3 other processes 2->14 process3 file4 26 C:\Users\user\AppData\...\5cHIX9Sf17.exe, PE32 6->26 dropped 28 C:\Users\...\5cHIX9Sf17.exe:Zone.Identifier, ASCII 6->28 dropped 30 C:\Users\user\AppData\...\5cHIX9Sf17.exe.log, ASCII 6->30 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->56 58 Creates an undocumented autostart registry key 6->58 60 5 other signatures 6->60 16 5cHIX9Sf17.exe 2 6->16         started        18 5cHIX9Sf17.exe 10->18         started        22 5cHIX9Sf17.exe 11 6 12->22         started        24 5cHIX9Sf17.exe 14->24         started        signatures5 process6 dnsIp7 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->44 46 Tries to steal Mail credentials (via file access) 18->46 48 Tries to harvest and steal ftp login credentials 18->48 50 Tries to harvest and steal browser information (history, passwords, etc) 18->50 32 api.telegram.org 149.154.167.220, 443, 49768, 49769 TELEGRAMRU United Kingdom 22->32 34 192.168.2.1 unknown unknown 22->34 52 Installs a global keyboard hook 22->52 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2282a50d33177e982a0704829cc50539d08a71329ca5afb9132a29b94011a209/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 13:19:05 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekbkkdjtc57jqkqhasbjzrifhhiiu4jstss27oitfiu3sqaruieq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12885b0462e6977afc7c42d03c8e039a5df25f70b610177b8e02f6642847584b
AgentTesla
313c25e0c0344b4de6862f596d63976684b68321e133bb7dc7ffc7b5e311f6a0
AgentTesla
380d24b4eb045aa88a24c1cb99e3645ba6f5ebb1ee229d61dfb6e2eee7a74bd3
AgentTesla
381dd9808ccf85e188bdb572dd8144b181a8ba5160ac5d617146d4250171174c
AgentTesla
3be787bec6c661048c534c126761c2be937e70cb5ce8f1922cca5f4f22106b54
AgentTesla
7326dddf5871d9ea2a91b0698527b830bb819e899f3eeabf9d46bb4d1c6d0af9
AgentTesla
769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52
AgentTesla
93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08
AgentTesla
e7b159209d33644fbf175828dfce46b31db1c74ae69a3183e59a7226c84391dc
AgentTesla
f47943ba2297aa6fea4e7661631b16164475196dd3dc5fd93cfcdb9aeeb50a60
AgentTesla
+ 1'950 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201222-4g5wzz6tnj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
6399347b1df523d86b0cc341b88bef34a6ca5b7945ad96088d4266da69e4c88d
MD5 hash:
c7badb6f06cddf21332da4cfdb479c6f
SHA1 hash:
5afd959dc6e6354a7125d004228b6766738232a3
Link:
https://www.unpac.me/results/afeee0cf-820d-4325-ab3f-83146967c7df/
SH256 hash:
c371f522cee8c5d560e83feeec4435f9c5b7bbe435daea783395aa0b86cd79e4
MD5 hash:
d37cc19f15c3e1081bed507e6703360e
SHA1 hash:
8e411d3a51bb5a05ac4dd27d4fea4a10c55eaa3c
Link:
https://www.unpac.me/results/afeee0cf-820d-4325-ab3f-83146967c7df/
SH256 hash:
2282a50d33177e982a0704829cc50539d08a71329ca5afb9132a29b94011a209
MD5 hash:
e5b5fde8d8579dca685c942019b10ea1
SHA1 hash:
1c33a8d5d1775777f45793e5e97d408fe055b13f
Link:
https://www.unpac.me/results/afeee0cf-820d-4325-ab3f-83146967c7df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2282a50d33177e982a0704829cc50539d08a71329ca5afb9132a29b94011a209

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 2282a50d33177e982a0704829cc50539d08a71329ca5afb9132a29b94011a209

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/938240/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108902/

Comments