MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb
SHA3-384 hash:	341401961a02d2886ff8654f8ba0ecde881d0297ae05a7321423e2a140340514f780588150c12b23a2cc0ad3b0f2f4de
SHA1 hash:	26d7c113caa0f759c1a9190276b5468ca583ccf2
MD5 hash:	59dabf4c99a7baa5f1e9fee1a45cdc7e
humanhash:	fourteen-low-ohio-twenty
File name:	e-dekont.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'248'768 bytes
First seen:	2023-12-19 15:27:34 UTC
Last seen:	2023-12-19 17:17:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:xpRc7FGU5t+qpq4ZcxCxx1AMLSuVoAXMhwRW4oEEM53E+HpyrY:dYFGG8t4oulboAXMhwRWpnAbHI
TLSH	T17C45E57CA878556BE4B6D6B2AFE59433B0519D6E305C582894D6F3163373B0330CBA2E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

338

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/468533/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6581b68cb855eb3693e6a798/reports/cf34049a-c59d-4df6-a052-1835908e8cc4/overview

Verdict:

Malicious

Labled as:

Ransom.Loki.Generic

Link:

https://www.hybrid-analysis.com/sample/71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ffccafd0-8784-4a60-b888-3c7a866d60ae

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364632

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-19 06:41:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ohvnzhczvkrmovsjvtjoauiiu2vbhpxwko4ff2rict27sbiupg5q._file

Verdict:

malicious

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231219-swbpcagbd3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1186256769916338216/Dx_GqOUzw_8W7BdZauyIgUgrsiqhd0nS86wVfi9OIvNF32-DiwASLNiF9fOtUHDq6pOe

Unpacked files

SH256 hash:

149c09015bdda070c20b9bf3b6c93f5c682c69fc501ee6169e8499fc78eefb0e

MD5 hash:

a00178f38ae047feec208bd3bf573f41

SHA1 hash:

e9494ee6d2920f607096bd8b04085f1b2845a06b

Link:

https://www.unpac.me/results/0bf77582-aead-42dc-9005-99a182fd21b1/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/0bf77582-aead-42dc-9005-99a182fd21b1/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/0bf77582-aead-42dc-9005-99a182fd21b1/

SH256 hash:

6af7521966baf6cad4d3ac71c56a81f90ae8475e994f6c3afdfe6e4256c89479

MD5 hash:

07abbbea56e39d622b700635d42b1868

SHA1 hash:

2facfc1a0292052af63ae88b8e83fac3951fdaa5

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DiscordURL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/0bf77582-aead-42dc-9005-99a182fd21b1/

SH256 hash:

71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb

MD5 hash:

59dabf4c99a7baa5f1e9fee1a45cdc7e

SHA1 hash:

26d7c113caa0f759c1a9190276b5468ca583ccf2

Link:

https://www.unpac.me/results/0bf77582-aead-42dc-9005-99a182fd21b1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/71eadc9c59aa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 71eadc9c59aaa2c75649acd2e05108a6aa13bef653b852ea2814f5f9051479bb

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468533/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample