MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74d6ab7e54de5496295eed575e8825fa1fbd8d97edf2b9d3eb3a739c79c50f90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74d6ab7e54de5496295eed575e8825fa1fbd8d97edf2b9d3eb3a739c79c50f90
SHA3-384 hash: 6c07f53a87f55d9e8d1cf341216cb010ddd26e197a7fda3f3c68dc192c037b89f6a156d036c4b5fbd8178bde7dd78bd0
SHA1 hash: aa5af7cc985c5a1aee632ba82cc2fb85d2569cad
MD5 hash: 454b352ca75a9781399de0eddee4ac3c
humanhash: enemy-shade-sodium-butter
File name:e-dekont_html.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:482'304 bytes
First seen:2022-06-22 07:32:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:yrl8hXZnEkH0woxGNORTCqzmT0n4BuH0sJvKeplSVuU:yrl8hXZnFH+xGMBCqgy9UaSOV
Threatray 18'135 similar samples on MalwareBazaar
TLSH T175A4120277FC5B62D6BE4BF815E2058493B4A52A6196F75FCFD2A0C92892F400F81F5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282220/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.32285.27272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b2c5f2e88d6da4ffbbc38e/reports/bfbb620d-42a8-45b7-b45d-7c0c521591ad/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3809ec2d-654a-47cc-8e08-fb4585283952
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1017714
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 650209 Sample: e-dekont_html.exe Startdate: 22/06/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 8 other signatures 2->45 7 e-dekont_html.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\OeCrgYQ.exe, PE32 7->27 dropped 29 C:\Users\user\...\OeCrgYQ.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp2D85.tmp, XML 7->31 dropped 33 C:\Users\user\...\e-dekont_html.exe.log, ASCII 7->33 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 11 e-dekont_html.exe 7->11         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 schtasks.exe 7->19         started        signatures5 process6 dnsIp7 35 nesilgidaimalat.com.tr 109.232.216.46, 49756, 587 AEROTEK-ASTR Turkey 11->35 37 mail.nesilgidaimalat.com.tr 11->37 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->55 57 Tries to steal Mail credentials (via file / registry access) 11->57 59 Tries to harvest and steal ftp login credentials 11->59 61 Tries to harvest and steal browser information (history, passwords, etc) 11->61 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74d6ab7e54de5496295eed575e8825fa1fbd8d97edf2b9d3eb3a739c79c50f90/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 01:27:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otlkw7su3zkjmkk65vlv5cbf7ip33dmx5xzltu7lhjzzy6ofb6ia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
006b674eb40ca99b1cffb927d3a85964fd41d31922d3af14c2b0e4b10056af0d
AgentTesla
1cfd60d4d7ce4e4dfdc8f467c735c33d0aefd83281cf62a38f36b0946c88ff91
AgentTesla
2e3b5e32da47c76886cb7a09f18d2143cee83e766e846c136ced459a5f9fa0a8
AgentTesla
387a765e811e6e32560ac2664259463d0a59284b34dbc43bdaf3bfcca250bd4d
AgentTesla
40fd7a4fd13cf4057de10b3eb1d89a596786f403bde6e79f3539fedd51af68de
AgentTesla
4e66e70ef947e8c220665cd4a18464d76aa7f80082cf202632749d5217cba611
AgentTesla
61d404fca3e77c9da77c817cf0e35541e15ea11350f6068d22e33a03a28a5e35
AgentTesla
78e1fbae10c16b140343e4b74ce4a005518c2811869aa37e38cb8c3e5d4b1d16
AgentTesla
+ 18'125 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220622-jevapadcb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
bd02fb27a0dd6d5554558ec108a13e756b0c15c83343d4f4d35cb258936d03e3
MD5 hash:
5ab36928a9e831d5e186f3d90d235ee0
SHA1 hash:
8cda0f182dbdc1d31c55f54a70679d592cc2c1ef
Link:
https://www.unpac.me/results/57503882-380b-4400-93b4-7a32ca94b8a2/
SH256 hash:
f17a67c971201b3f0c5c6b9bf13eacef88a481539350685e0c7009d08d55dd08
MD5 hash:
272c786e9fe83654e9f9fbbcfe198575
SHA1 hash:
3bd6b1d37a8e7afc75ce22716e1a17c9aa5de46c
Link:
https://www.unpac.me/results/57503882-380b-4400-93b4-7a32ca94b8a2/
SH256 hash:
faaf332a672bd0177b3bee5d11bf49e97be982f3691ee66d9b34ad07dcb3d0f6
MD5 hash:
80b9e96ce768667f056ded4296ceccb5
SHA1 hash:
edd8a87c343b24a3d0d3fe18f568f41f397f4ee7
Link:
https://www.unpac.me/results/57503882-380b-4400-93b4-7a32ca94b8a2/
SH256 hash:
6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e
MD5 hash:
7ce2d10bd0f02667bc0e1343d9ffc1c1
SHA1 hash:
c3a5b4e5721085022eb7bf0008b7e449f9369fcf
Link:
https://www.unpac.me/results/57503882-380b-4400-93b4-7a32ca94b8a2/
SH256 hash:
74d6ab7e54de5496295eed575e8825fa1fbd8d97edf2b9d3eb3a739c79c50f90
MD5 hash:
454b352ca75a9781399de0eddee4ac3c
SHA1 hash:
aa5af7cc985c5a1aee632ba82cc2fb85d2569cad
Link:
https://www.unpac.me/results/57503882-380b-4400-93b4-7a32ca94b8a2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74d6ab7e54de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74d6ab7e54de5496295eed575e8825fa1fbd8d97edf2b9d3eb3a739c79c50f90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 74d6ab7e54de5496295eed575e8825fa1fbd8d97edf2b9d3eb3a739c79c50f90

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/282220/

Comments