MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a
SHA3-384 hash:	fb5441cb14bf4914221d89f39baf498cfea10306f082525c859b130b36de6fe43c14878c04a379a8684c4bf613097540
SHA1 hash:	0a32e2a126af8901bb8670d99bd0698475ea7b2f
MD5 hash:	604d9f36e40e570d9187c78c0cd3ddd2
humanhash:	harry-carpet-may-india
File name:	e-dekont-20230215-0-.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	813'640 bytes
First seen:	2023-02-15 15:05:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:GK3RfhJ2l1eBax3ZCeEE9HTz+oEhCzn0Ab:L31Cl1OcZCa9HTCHCgA
Threatray	526 similar samples on MalwareBazaar
TLSH	T10105120A769E9611C82E16B0C8F7492453F1EAC72673C6CA3E9D13C54D427C2CE9A7DE
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter	abuse_ch
Tags:	AgentTesla exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e-dekont-20230215-0-.exe

Verdict:

Malicious activity

Analysis date:

2023-02-15 15:08:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7bf722b7-44ee-4440-a43e-df0f997be228

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/366698/

Detection(s):

SecuriteInfo.com.Variant.Tedy.228780.26502.13773.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/63ecf4ddcc8a53ea10ed1194/reports/d72efecd-7095-4496-8279-cca679ed9928/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0df52259-ccc1-4050-85b9-5f8b79c4252f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1176301

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2023-02-15 14:26:51 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vb4lwendkbxl2g2qu5jfc7rfszcvu5ya6anibbm4byybflav6cna._file

Verdict:

malicious

AgentTesla

1daf8d1596d48c1d9e3c39c394d5f634d6a6bbd2077df9f40412fc9f50f77b37

AgentTesla

77c159185faa334e80e1905791e5baa2b366b2017c4a37b458cedbcb1baabb2c

AgentTesla

8271b73c229772949561931797ba49d42098a5f9eb97276252462ba7c1261951

AgentTesla

84ca5338192be829c40e31b95df0ddd56a46341841ab1d3d65c548c39f383808

AgentTesla

b55e750d3ec8f350361c608a597d29359a315991bca5bd1cb0617b00cf5a1e60

AgentTesla

ec1dc62154fa4bf3b85367872c69ab346c334c6c392429995d950ec91d6945f9

AgentTesla

+ 516 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230215-sgq6gscd24/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

.NET Reactor proctector

AgentTesla

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1075033485355532409/PY03RC_LVWgPfEYGLd-dVemJoNpFdo5fMfDCmfTCn0S_o4ousPDz3eraWhreCcHqEMSn

Unpacked files

SH256 hash:

a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a

MD5 hash:

604d9f36e40e570d9187c78c0cd3ddd2

SHA1 hash:

0a32e2a126af8901bb8670d99bd0698475ea7b2f

Link:

https://www.unpac.me/results/2255a12f-3b6c-4f9d-950c-8b4bdb1fe46f/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a878bb11a350/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/366698/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample