MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb
SHA3-384 hash: b6bb681dc6cfd3fea322c84ac8eaaec88966d237724f019b860f65822a87dc5410eecb632ef8a241d1dee1f1b9dce94e
SHA1 hash: e55e751f7616267f9c2d332a0ce31bda09fc16ef
MD5 hash: 84103a363e3519053a019fcbfb49b496
humanhash: river-snake-muppet-sink
File name:ORDER-RFQ OM-4670.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:460'800 bytes
First seen:2020-10-25 17:15:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XU03Jq8HcD+jrhHLH8okM2AZixye2oXk6:XV3Uuc6jNHLn2AZixyeXk6
Threatray 755 similar samples on MalwareBazaar
TLSH DCA4023078D62E53E1E68FF711B4A62063F1594B5B2BDA48D6BC77C086927A057F0E23
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: akdenizmarine.com
Sending IP: 185.222.58.113
From: Jenny erbil <info@akdenizmarine.com>
Subject: RE: RFQ OM-4670 URGENT
Attachment: ORDER-RFQ OM-4670.zip (contains "ORDER-RFQ OM-4670.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75727/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/509561
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-25 16:05:46 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2cm243wgl6rjuvmpozk2l5qjz453wgdlkto6ol2kl2mcoorzh5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07f9ae4dfabfafce83d9c14be15f43ef68d08ec13cddb3c026fe8d26a5dc9355
AgentTesla
17a03e39ebafb5fcdd30227fcce2138dc69e353fc1ea131e53dfee3b4190cacc
AgentTesla
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
27bec5b0582b3447dfbf1e2cca8afae778532caa31b449bebb434d5468cbe3b7
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
be6d4618333f5bca53591236f870ab7d368843e7b32b3333d97a4a72d920559a
AgentTesla
ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f
AgentTesla
df1fd43f5e715d4b610466b4cc55331d3978e1f771c3991d9844c72345a5abbb
AgentTesla
e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca
AgentTesla
f010bc0295db81514c87fde7298f3425670ae67f4f24a21f20232a10eb644907
AgentTesla
+ 745 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/201025-n48l2142r2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb
MD5 hash:
84103a363e3519053a019fcbfb49b496
SHA1 hash:
e55e751f7616267f9c2d332a0ce31bda09fc16ef
Link:
https://www.unpac.me/results/946481c3-b554-4ed9-b1db-872213d545db/
SH256 hash:
af0bf1b463d034ca57f252f647f33b37569b2564c1e540b26ca5b7db410b2ae4
MD5 hash:
8968e567dbe79b7b1fa9cfcebf469cd2
SHA1 hash:
0c738dfde81dfdab859ef94bcc756b3f1eaacafe
Link:
https://www.unpac.me/results/946481c3-b554-4ed9-b1db-872213d545db/
SH256 hash:
e278e44869b4560ae8cab37e0d71ef79ede0f73a5b4176ce04db3c2818cec336
MD5 hash:
057c210911045f8f4a62ff3cacc31829
SHA1 hash:
8f779ff6231c764901c16e688bc44aba69acb5f5
Link:
https://www.unpac.me/results/946481c3-b554-4ed9-b1db-872213d545db/
SH256 hash:
4677dd580af18e4ff6f1f6a485bc827c5deed17ee092fa21ca62c3819e8d987e
MD5 hash:
b221d8ae9e15755801bc4081276f6b3e
SHA1 hash:
b36926dbe07ddb8e4eaf53e457335cc29c5eae84
Link:
https://www.unpac.me/results/946481c3-b554-4ed9-b1db-872213d545db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:unixredflags
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for red flags
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 647e4f8f25356102e3d456aeb52961904ddf507e2377213be643e68492143a8d

AgentTesla

Executable exe 2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb

(this sample)

  
Dropped by
MD5 8b3d6e531cedd4df6a5dce719b95d7d6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75727/
  
Dropped by
SHA256 647e4f8f25356102e3d456aeb52961904ddf507e2377213be643e68492143a8d

Comments