MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431
SHA3-384 hash: 83f258415cd66edd29e845658f1119e0d054523d85dd35922b9dd817a54bcbfc0e51ac98ed10ef0932dac58a35dd288a
SHA1 hash: 5b38df4eb0172ceee58625d9976bbc8034c633de
MD5 hash: 8e9950ad82cd29bde835f2a4dc42a0be
humanhash: river-lion-oven-mango
File name:DINTEC order list.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:948'224 bytes
First seen:2021-01-15 08:49:40 UTC
Last seen:2021-01-16 07:37:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:SYfFwNj59fXbzLGYwbuT/aElE9Yt9gusNqd+BMP:SYfFwftLvpwbEllzt9g5ch
Threatray 2'159 similar samples on MalwareBazaar
TLSH 5D15AE7C277BBE4CD1781AB60DE1592707623D0624F8D61E0CD97ECA0576B402EA9EB3
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DINTEC order list.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-15 08:52:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/86434125-e2d4-4f2b-afc0-2279f919c7df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114520/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582361
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 06:21:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyicgpyuraxctwrbghtshhfykdbvihqbj73xzzi2di2v62sx4qyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2dc1258101b1183ad4e08320f15310cad541c900919e98e0816c751fee303306
AgentTesla
5cf8e944ea54195e221343dec2bb3728c5faecc2b55be781b597503a7ae2fd39
AgentTesla
63adb2924e560b5372169c820684773bba83fe0ab3e0b51ecf3192b0cda9d774
AgentTesla
6f6a4ba365d2b3086b4c7c98d45e7216ac000bce60094e92023868b11750f4b1
AgentTesla
8f74c5871c33b4bf63b43f3e7e216dae1cc92e79cd0035422c8eb6768b98dc06
AgentTesla
a7ada9eefa9c775d0215af6bc497e305f8067290f5e9642e582c6d4c3ec65756
AgentTesla
aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240
AgentTesla
f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8
AgentTesla
f473ac0704e2a9083c308f5f016f05682e69ba1a201b493d65a5a7bb09538405
AgentTesla
f58cdcc753abc5e59a1d6367b421517b89992a43b41b9bccdb277ef69de4d6b0
AgentTesla
+ 2'149 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210115-11cv2jl19x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
366da8a6cbd04282ab6ef9c2ffc25d4aee0e52461da78ecc17ecba2db39ed834
MD5 hash:
460571c0e5a72a62cd42adc66616f197
SHA1 hash:
88f9305bd2a88cac12574fa86922a1b9c63dd32c
Link:
https://www.unpac.me/results/27c77cde-7011-48c8-807f-bb2861488d30/
SH256 hash:
c33cee06a0dcb90283c413029358f95ac243538fb26cdd3884932ab9d4df69c0
MD5 hash:
3b9b96c16aa94eb085edd10ba11157b1
SHA1 hash:
4468b18b9156c1507885fe784fa557147b91e3c4
Link:
https://www.unpac.me/results/27c77cde-7011-48c8-807f-bb2861488d30/
SH256 hash:
f3ea20f6815e7f5f5159971ea2714811dcc4b41c31bceb3514f60c3eeed81dbb
MD5 hash:
9951799b56282c51f5b64c5c150df857
SHA1 hash:
33c35765c67cbb3e582af839bb384a75338b4d3e
Link:
https://www.unpac.me/results/27c77cde-7011-48c8-807f-bb2861488d30/
SH256 hash:
2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431
MD5 hash:
8e9950ad82cd29bde835f2a4dc42a0be
SHA1 hash:
5b38df4eb0172ceee58625d9976bbc8034c633de
Link:
https://www.unpac.me/results/27c77cde-7011-48c8-807f-bb2861488d30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a8e4adc7b74db41af2dff6cd4609f1a65b811c332152de413ac60eed07a6a8cd

AgentTesla

Executable exe 2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a8e4adc7b74db41af2dff6cd4609f1a65b811c332152de413ac60eed07a6a8cd
Cape
Cape
https://www.capesandbox.com/analysis/114520/

Comments