MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ce8eece17b8084a16d4293aed757d051178c37d56b1b0ce8b9aa0af9c861251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	4ce8eece17b8084a16d4293aed757d051178c37d56b1b0ce8b9aa0af9c861251
SHA3-384 hash:	cb2253676cf39c26ada5ad699e7b482aed0bd2bbe0a0d3025d815cfc62bae0caf1f718e563878e7500cb41b1941a06b7
SHA1 hash:	b7c7a051f7ff97c7257129a4c148df57780348bc
MD5 hash:	41a731524dc06be018b21ec7a2ef7019
humanhash:	jersey-delaware-foxtrot-five
File name:	QUOTATION_MUDP-HAP-MEC-112.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	879'104 bytes
First seen:	2021-07-12 11:37:23 UTC
Last seen:	2021-07-12 12:42:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:p5CAacGkKRrXN5GnTOdU+CHpZszPn+YiuoGNYw80xT8/tTaHahtEdNY:p5racGkKRvdoGyw80mTwa7
Threatray	6'600 similar samples on MalwareBazaar
TLSH	T1F3155C2C33BD9609F13BFFB49F60A6049FE675669725D14D3DD0428E2421E80EE76A32
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QUOTATION_MUDP-HAP-MEC-112.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-12 11:47:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7ade2ed6-5e96-4155-924d-f477a8e97016

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/171058/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.925.8231.3101.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f0ae356-3899-4219-b593-3415d3c1ab51

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/814785

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4ce8eece17b8084a16d4293aed757d051178c37d56b1b0ce8b9aa0af9c861251/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-12 07:17:46 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jtuo5tqxxaeeufwufe5o25l5auixrq35k2y3btultkqk7hegcjiq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

22637e06185c1729dc491bf0d47763f8e549ae5a16223b04579240a0bbfa9f1f

AgentTesla

311c2667d094e51f0ad2596333a243ca6296d25c07223abf95af0256ed7aeb97

AgentTesla

3b657298a18c54b3d55c3e5001fff9b6933b6f58bd3dd0b4a73de1307328917d

AgentTesla

8021c889d10d4c4f3b8f6f57c133a0555dac514a5b9e280c3b9ab34c2e2ecb50

AgentTesla

8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f

AgentTesla

8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e

AgentTesla

9cf2a057f02576f4223e7c2f8ef4c217944385df4cd3180029ff96b80122d752

AgentTesla

a3e84da58dbdc9813c1a8bd17a5b07e39f8d1322b8ee7d70bd5fe61b481ac492

AgentTesla

f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236

AgentTesla

+ 6'590 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210712-lcdj3xkvds/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

442d997f4dc099bb038dcbe9d7a5b100f4e009ae6290732dbf547c25382e96c3

MD5 hash:

2db540527688da5aa29bd9cbd416abf4

SHA1 hash:

7f86316d486fc3e0a0bb455014edfd3765c0073d

Link:

https://www.unpac.me/results/851a8d65-6621-4c6e-b58f-c7969a2a1a8c/

SH256 hash:

730cbbe3cffabd20aeb1dab9f7804bdf8c837e34af5ffdc31ebda9044bc34a16

MD5 hash:

cb604426e4d2217a2d0eb37b5be963d0

SHA1 hash:

5323ea6a8f36f8e885dbed7aad54acb7da7dbba5

Link:

https://www.unpac.me/results/851a8d65-6621-4c6e-b58f-c7969a2a1a8c/

SH256 hash:

39615e4b3947159bba9044fc0a5eaa7e85a903d4c5e5b02a4ad230a973cab8e5

MD5 hash:

29517a26cb204629cda7c9486cda79c3

SHA1 hash:

428e03ef71539d6efb1816ade73fa66e80c96d8e

Link:

https://www.unpac.me/results/851a8d65-6621-4c6e-b58f-c7969a2a1a8c/

SH256 hash:

5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4

MD5 hash:

b0e14c3526d6623ae9b7b5f5e0efde76

SHA1 hash:

f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc

Link:

https://www.unpac.me/results/851a8d65-6621-4c6e-b58f-c7969a2a1a8c/

SH256 hash:

4ce8eece17b8084a16d4293aed757d051178c37d56b1b0ce8b9aa0af9c861251

MD5 hash:

41a731524dc06be018b21ec7a2ef7019

SHA1 hash:

b7c7a051f7ff97c7257129a4c148df57780348bc

Link:

https://www.unpac.me/results/851a8d65-6621-4c6e-b58f-c7969a2a1a8c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/4ce8eece17b8084a16d4293aed757d051178c37d56b1b0ce8b9aa0af9c861251

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171058/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample