MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e1fc47ae32256aba8ec1b225c2761063671a3c804c23ad51225d7c06f670538. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e1fc47ae32256aba8ec1b225c2761063671a3c804c23ad51225d7c06f670538
SHA3-384 hash: 114f78e79047b8f7343d5c5a872efc49deaab387ecaeede37d1686da2d8436395ef7b13da66c654720a185777ed9b256
SHA1 hash: 33c582c65cae7a0e0f5153276218ee91b905ebe6
MD5 hash: 8f8f3f31f07a30bfb83bfc6930c76ea5
humanhash: princess-idaho-angel-beryllium
File name:Request For Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:895'488 bytes
First seen:2022-03-08 15:24:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ER/I+tKs7rsIdmlLUVnLHkJVqZpobIn6M6JH0bIPgllqPr6ZIZiGyGLhV:Ctvd2YVnLHkrYpoxXUXqPIIZ8ez
Threatray 16'130 similar samples on MalwareBazaar
TLSH T17515CF1839E65038F9368BF1CED4FBF09B6EF221D58920F554000E159A46BBC895AEFD
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248320/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.28845.10211.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62279a450cd58dbd92688299/reports/63328ae5-e74e-4a34-afde-dad88ba5a322/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a8ec957-e296-443c-86a0-51e5cc1b042f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952698
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585176 Sample: Request For Quotation.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for dropped file 2->35 37 17 other signatures 2->37 7 Request For Quotation.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\Khgmuf.exe, PE32 7->23 dropped 25 C:\Users\user\...\Khgmuf.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpA47F.tmp, XML 7->27 dropped 29 C:\Users\...\Request For Quotation.exe.log, ASCII 7->29 dropped 39 Adds a directory exclusion to Windows Defender 7->39 11 powershell.exe 25 7->11         started        13 schtasks.exe 1 7->13         started        15 Request For Quotation.exe 2 7->15         started        17 Request For Quotation.exe 7->17         started        signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e1fc47ae32256aba8ec1b225c2761063671a3c804c23ad51225d7c06f670538/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 02:24:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyp4i6xdejlkxkhmdmrfyj3bay3hdi6iatbdvvisexl4a33hau4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03aa9378d625d756619c3bac2fa2cb2f62221f40dab374fc6f8b7a8315a8e8bf
AgentTesla
0bc981fd0177a3032289751031abc774855a142b10abf42f6c34882d328e3940
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
74c2f8176fadf84bb04083901d52033b0975245676b45cd8607d80bebc91e570
AgentTesla
8e044d81e7d4c3220cddc9f497585ab660e51373e064580e9afc7ee4bca050d5
AgentTesla
b045b7b993b005e1930ca50a9eb65df8b62ca29d1dfdbbb28ca6621384172908
AgentTesla
bec947d6bdd30152e20ff535a4a163711714d6f55f3c1382d0c506f83136e160
AgentTesla
c21d2f1d2c5dad844ee2c789b2a424f0808e9eaf4edbf4319dca34531aacbe2c
AgentTesla
+ 16'120 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220308-stmzlabcfk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
2dd8593ac3dce0d4a2f491be8020f680951b29bc6fb0d10ed43aa16c1d095fbd
MD5 hash:
e5aa8a740d2068ddda86fe742141e051
SHA1 hash:
c3f25655f2a1ff6f6c02e6c0ea4288f202c6d141
Link:
https://www.unpac.me/results/d86c375f-709d-406d-9669-8afe332d856f/
SH256 hash:
633cc1bd64c87d5309927d3e715db1dc1bd5926cdc6f325694349eaae2b98c8c
MD5 hash:
1c69c54d7b9ec2459f5ebaf3d94886f7
SHA1 hash:
89e08a4491b8c304462db9f11192b9772f50b3b4
Link:
https://www.unpac.me/results/d86c375f-709d-406d-9669-8afe332d856f/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/d86c375f-709d-406d-9669-8afe332d856f/
SH256 hash:
360b819cc42e2a95f53482ba4175cb9b1182d794366871a5e8be98ac58445d22
MD5 hash:
350d5fb5ba1b73d4a5c3d94b563491f6
SHA1 hash:
1c09d9c3ddaa376bbfcfd8f5890efb8f0a4e327b
Link:
https://www.unpac.me/results/d86c375f-709d-406d-9669-8afe332d856f/
SH256 hash:
2e1fc47ae32256aba8ec1b225c2761063671a3c804c23ad51225d7c06f670538
MD5 hash:
8f8f3f31f07a30bfb83bfc6930c76ea5
SHA1 hash:
33c582c65cae7a0e0f5153276218ee91b905ebe6
Link:
https://www.unpac.me/results/d86c375f-709d-406d-9669-8afe332d856f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e1fc47ae32256aba8ec1b225c2761063671a3c804c23ad51225d7c06f670538

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2e1fc47ae32256aba8ec1b225c2761063671a3c804c23ad51225d7c06f670538

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/248320/

Comments