MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b2ebf2ce150e84bae3f063b8458b6f1608a5fea01531244fa005d70727605c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	48b2ebf2ce150e84bae3f063b8458b6f1608a5fea01531244fa005d70727605c
SHA3-384 hash:	7257fe58832deda9c47c29717e0b50bd5493feae2d7ab412aab55457f660ad02201755c24fe4e6a932de9af3c3eb60d8
SHA1 hash:	3e3f1a3dfa905107bd410dbeebb40fde24656460
MD5 hash:	bc5e58de848e6f45d59b81c8e286ca72
humanhash:	potato-stairway-uncle-carolina
File name:	Quotation.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'008'128 bytes
First seen:	2021-04-21 08:22:30 UTC
Last seen:	2021-04-21 09:07:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:kHcZSQOhJO4OjzntRj9Lu8DVWPmXBfg9OZlcm1kd8:acZSpDO4Ofn3Y8sEhgwLcIkK
Threatray	4'105 similar samples on MalwareBazaar
TLSH	A925E1523144DC9AE0175AFA58AFD12022B87D9F9121C70E3B93BA2B55F7382205BF5F
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

2

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

Quotation.exe

Verdict:

Malicious activity

Analysis date:

2021-04-21 08:27:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3d8c4611-7726-4d07-8207-e5f619922774

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/141920/

Detection(s):

SecuriteInfo.com.ArtemisBC5E58DE848E.24927.16644.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48b2ebf2ce150e84bae3f063b8458b6f1608a5fea01531244fa005d70727605c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-21 08:51:10 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jczox4wocuhijoxd6br3qrmln4larjp6uaktcjcpuac5obzhmboa._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

1109e9c4a8dceb63160c59807b81adc6d4e82c28529c80bd1ff80993dc906508

144613cc486b100a833d62352111882e73d7e3dd2d41ba8f84a73427b12d20c3

1bc63a63deeaeb046f982263805df1c8147390b570f5ef88abd26fe0f5d30c40

2b128560da3f57b305996b0447be082b0a7d40d10ed3000c931c13c6f9ce8661

7d760e215f27b39a9b175cf3111a1cb07ca6c0299eba2c928496df1562fa4870

82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd

8b345f73d84e6fc765d7907aaa33d844ef2c180024baeaa53ff895bab8e19356

8b674dcd488e9b2d46b562bf23bbab4ac418d46caf950dfb62b3989d40842e83

9547fab4b9ffad18e84691f3fba302c0000cbe7ae8177f6ac1729a9a94fbdedd

df61b9c866c5ceb278e173814ddf975b70b5b2e9fcbc5b482326e4163c2e1086

+ 4'095 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210421-ax5zmqvj3j/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48b2ebf2ce150e84bae3f063b8458b6f1608a5fea01531244fa005d70727605c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/141920/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample