MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c93e913c5dd5c8371f2acb548cf3761cec09e76c5b37b3cb36163142ccc45b5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c93e913c5dd5c8371f2acb548cf3761cec09e76c5b37b3cb36163142ccc45b5b
SHA3-384 hash: 474da81e7d6e28fa0062eb1e6d722c93386622a08beb9cbcf5a1895f3d0420129510094d8242992759f9dce0b930f39e
SHA1 hash: 69aa141cce1130127d001c3e2ddd09a9d86110d3
MD5 hash: e3e93fe05b613c6825315938ff8a9fc3
humanhash: crazy-salami-lion-hawaii
File name:e3e93fe05b613c6825315938ff8a9fc3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:743'936 bytes
First seen:2021-07-20 12:46:05 UTC
Last seen:2021-07-20 13:52:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:xDKD1VqwGAg1o5kYmNRLfO0+wixNoXZwLfVUpm9LcUAEwm+SAt8CArGuNwGXrNzR:xODKnAgqyhG0bin8ZCfCkcUAEwXHQnU
Threatray 7'077 similar samples on MalwareBazaar
TLSH T1DFF4BD3804998A63C676A273C668E704FEF319927271DD1A939BE2871F1750368DEF1C
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Doc56576847896543987652134.doc
Verdict:
Malicious activity
Analysis date:
2021-07-20 08:53:33 UTC
Tags:
exploit CVE-2017-11882
Link:
https://app.any.run/tasks/6df6d626-1f2b-4d64-a021-b11ece0e040f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172818/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14538.5819.29151.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/640dd959-1bfb-4956-bfb7-84ccb06a66dc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819021
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451431 Sample: 0ZZqw52a6S.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 26 smtp.privateemail.com 2->26 30 Found malware configuration 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 5 other signatures 2->36 8 0ZZqw52a6S.exe 6 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Roaming\AZYAVeFwU.exe, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\tmp47FB.tmp, XML 8->22 dropped 24 C:\Users\user\AppData\...\0ZZqw52a6S.exe.log, ASCII 8->24 dropped 38 Uses schtasks.exe or at.exe to add and modify task schedules 8->38 40 Writes to foreign memory regions 8->40 42 Allocates memory in foreign processes 8->42 44 Injects a PE file into a foreign processes 8->44 12 RegSvcs.exe 4 8->12         started        16 schtasks.exe 1 8->16         started        signatures6 process7 dnsIp8 28 smtp.privateemail.com 199.193.7.228, 49732, 49733, 49734 NAMECHEAP-NETUS United States 12->28 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->48 50 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 12->50 18 conhost.exe 16->18         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c93e913c5dd5c8371f2acb548cf3761cec09e76c5b37b3cb36163142ccc45b5b/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-20 00:43:15 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ze7jcpc52xedohzkznkiz43wdtwatz3mlm33hszwcyyuftgelnnq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03a5f02e2510ecf8b8990cd651cc7085e057555e8be3415e48167e73ae3aeb40
AgentTesla
0ec625166e4d3d30edc9ecee2d9f4131085a6ade75de1ca6825a8f01a97c20cd
AgentTesla
1b19b55ce9b8738b1c0a308f0a29c4d9356888339ba0678ae11e2fc0aa749e89
AgentTesla
21bd5e4845c12f0601ae8988314a461339e03e78267cac80f4a34ce93ad404ab
AgentTesla
23efc97e61f8218480cd1b89de603d517f0b31ee4fe9e2bf1f83bcb38e242827
AgentTesla
843953f91f7a0cea202cd389974f9bbfe111934bf175af7cb0e44804be5b9b4d
AgentTesla
961f7b9bed8edc7f79de3d04f44282b97a4a8e41f329300e827b0c80888d5b5e
AgentTesla
9641b42c328e6e872819d139d20c3b64ed5e00d044de54550d58c2c77917e50c
AgentTesla
c7af68bcec3b1c2e3a87f08111ab75b525799c5386fa85b529f8690bfa1c766a
AgentTesla
+ 7'067 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210720-3sn8hpz5re/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/1e4bd9cc-a58a-4f0e-b37f-ad552a78dc17/
SH256 hash:
7b1913f0cb02db202fa04b08781fe1415f0131150eb2315a0e746342982cdb38
MD5 hash:
9abbd69c587479b5567a5d8e9d3a4594
SHA1 hash:
b7eb58b877e2ff04480e5a70758252061b88c1fc
Link:
https://www.unpac.me/results/1e4bd9cc-a58a-4f0e-b37f-ad552a78dc17/
SH256 hash:
c819e904615bdb2cf9315eab94bfc0d9c122436af99e48ccd9d543be36c8a04a
MD5 hash:
276bd3e97b905f6c23bb1d5ddeb72ce8
SHA1 hash:
8aec7e42f9a0d4ab3300a59328517fc12d2aa58a
Link:
https://www.unpac.me/results/1e4bd9cc-a58a-4f0e-b37f-ad552a78dc17/
SH256 hash:
c93e913c5dd5c8371f2acb548cf3761cec09e76c5b37b3cb36163142ccc45b5b
MD5 hash:
e3e93fe05b613c6825315938ff8a9fc3
SHA1 hash:
69aa141cce1130127d001c3e2ddd09a9d86110d3
Link:
https://www.unpac.me/results/1e4bd9cc-a58a-4f0e-b37f-ad552a78dc17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c93e913c5dd5c8371f2acb548cf3761cec09e76c5b37b3cb36163142ccc45b5b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c93e913c5dd5c8371f2acb548cf3761cec09e76c5b37b3cb36163142ccc45b5b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1449842/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172818/

Comments