MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca2e0c4c5d77ac010eac33e309b31022a08125703ac87a71c319ab50d946aa6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca2e0c4c5d77ac010eac33e309b31022a08125703ac87a71c319ab50d946aa6b
SHA3-384 hash: 2ffd3d79e6065329126b6857ba83ddc65879397519a4d5fb6dba8b2c5fecba1e97021bb9d5d1da56405b5d18d5fa1a5d
SHA1 hash: 7ae903b71388e162dc4e10f65854cfb45de6d4fe
MD5 hash: 6c11f38adec40c226ba26d9d0d505b45
humanhash: cat-wyoming-mississippi-magazine
File name:6c11f38adec40c226ba26d9d0d505b45
Download: download sample
Signature AgentTesla
Create hunting rule
File size:691'200 bytes
First seen:2021-10-21 09:45:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:RZqxsXHfROuQLBiUUNnLsB+RgNCwaiDURQaTxA:iqX/RlQqejNdaiQRQatA
Threatray 12'348 similar samples on MalwareBazaar
TLSH T1D4E46A422345B07FE7AA3D702B678537D363FD62245DA18D6980325E1E70EB0A35D2EE
File icon (PE):PE icon
dhash icon e4ecc4d0d4c4ecec (1 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199031/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/617136dda9d585e6d53195a2/reports/568dce72-3951-468a-8ff7-5c00426aca33/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1eaf0001-8780-4d56-b4fd-b046a9443021
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874451
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca2e0c4c5d77ac010eac33e309b31022a08125703ac87a71c319ab50d946aa6b/
Threat name:
ByteCode-MSIL.Trojan.KryptikAGen
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 10:22:52 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1fee2da81b9bf7bc981a680b2e4c3c69dd683f66380a458f8bc6ac09c7156baf
AgentTesla
3acb8c900b76d7232dcb0dd75e92f7647468a845bba8fb42dce2bc1ec2bb1d2f
AgentTesla
526b4a1960089a844cdea329920a3842e2d18a26cf96fa52cbbde6fed7fa012a
AgentTesla
689ddb0773860f65edd676e3d32207c1db0848a29db71fae865705a6666aafe6
AgentTesla
7fc6095b91d2bb01efc48754fb7f2eb9f962b7ee06e2fa74b14609020a5ecae4
AgentTesla
94b3e37a5c039221040999418b83ab8338b165db38255ec81bc41f3a8ad2e6df
AgentTesla
ec792ee233ac266c240ad4b9722b13ad8a3f3a96516511aba13254cbfdb191c4
AgentTesla
+ 12'338 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211021-lrmsgsahgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
01a38699b9233d3820076fc48b4c51fc2b05ffe267e0e8d35d49c46807bf4ce2
MD5 hash:
1ec6d90667c4b8276f3b0d9a256eb2a5
SHA1 hash:
b03444c137cedde1028f883dcafc29bfea992ac7
Link:
https://www.unpac.me/results/2fcd38c0-80e6-4d86-a77b-69201d543dd5/
SH256 hash:
ca2e0c4c5d77ac010eac33e309b31022a08125703ac87a71c319ab50d946aa6b
MD5 hash:
6c11f38adec40c226ba26d9d0d505b45
SHA1 hash:
7ae903b71388e162dc4e10f65854cfb45de6d4fe
Link:
https://www.unpac.me/results/2fcd38c0-80e6-4d86-a77b-69201d543dd5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ca2e0c4c5d77ac010eac33e309b31022a08125703ac87a71c319ab50d946aa6b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1704696/
Cape
Cape
https://www.capesandbox.com/analysis/199031/

Comments


Avatar
zbet commented on 2021-10-21 09:45:07 UTC

url : hxxp://103.232.53.42/explorer90/cortana.exe