MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5
SHA3-384 hash: d42314b2b0d61325c4cfb48308c7f17c9e373b4b635a8699d67f111939ac4061a6c0db484ced87a8fdf23977e3f077a7
SHA1 hash: df375c5a846e6f52fc806fe13b800170fea040ed
MD5 hash: 13aedce38d8c0e95dcca37806c0ede7d
humanhash: undress-hotel-seventeen-avocado
File name:ENQs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:692'224 bytes
First seen:2023-04-19 11:41:22 UTC
Last seen:2023-04-19 15:44:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:TlBO5ZZC/W2n9ffrpE2TFLVT+iah5Rk+mcMGzF5YvwXJsoH4m4issazv8XmCDm:TlqTC/f1ddR+rh5RzMRvwWi49issH5
Threatray 2'276 similar samples on MalwareBazaar
TLSH T1FEE4F19CE7E9D6A7C2A90F7D801662883F7840E77637C638DF8A4499FB47B041E85643
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2050707096cc4860 (6 x AgentTesla, 5 x SnakeKeylogger, 3 x Loki)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ENQs.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 11:42:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb616c30-3c38-4c1b-99c4-f07f31fef2a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383276/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643fd38bc1735fe5e7568d70/reports/0d0044f4-5daa-456c-82b5-35038e6792e0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93a38622-6a49-42a3-9c91-124c3726a72f
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216799
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32ro5zqlf6jskv4ambceqxto2tn3cnu2z5vcrcackh743vunqc2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0305f072031592da1b8d9d153f5cc2ba415727f514dc960354952e393e20f4fa
AgentTesla
1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05
AgentTesla
416d574131255e4656d9d548ef7c74c1ba3850aa80a9acd9dbd0352eb03053ee
AgentTesla
5e07308b25241de53ccc1a6f833e13bf63ad9bf9fe3f4786b28fdd959702a50d
AgentTesla
6ab23b6c600f2f84df0442f21ba552973126809d9b26557d2f815e60c135517a
AgentTesla
9975c3c2c7bb393e635997f7e9060557ddc22931a8d700e558b7bb2c8d6ff892
AgentTesla
9c5a321ef423a10c264e0bc599091753b279c557b18b2f655bcd4eaf7d883ee5
AgentTesla
9d83a9e060a29f32c19203afbffe3e6b3d22d71ec4779bc7139c0b22a9881e65
AgentTesla
f388b5e3cf8b41bf483a00dcd8d53cc02c298ec970510f68190e33992b184440
AgentTesla
f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca
AgentTesla
+ 2'266 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230419-nt1hgaab98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
37ca4b23e7bb82701b5e195f4fc4b7d4cfc7a05241d252740d0a6f8f07e21a8a
MD5 hash:
eca2a1f777f59644a547ffae7e749bea
SHA1 hash:
dbdf777656289b5d1f5c7ead5ede0cff76cbed90
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/285a345d-d9a6-4e3f-8e3e-5b270711284b/
SH256 hash:
b074b55c76a0b73738913989c23cc07350922f59bf0397dce08373e5ed1e91de
MD5 hash:
34bb27dd6b96e431987e6a55b50ccc42
SHA1 hash:
c51536845fcffa66324c8ec0955023e154acae3b
Link:
https://www.unpac.me/results/285a345d-d9a6-4e3f-8e3e-5b270711284b/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/285a345d-d9a6-4e3f-8e3e-5b270711284b/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/285a345d-d9a6-4e3f-8e3e-5b270711284b/
SH256 hash:
84d2d4b34c9fb1bab1519a39317385f7922bb7a7bf54c4dc0cc201b0cc80b9f2
MD5 hash:
9091e9ec3cf9a795f7c78fb62dd3a97e
SHA1 hash:
16ea0de00835f02c610d04da8208fb9290871b18
Link:
https://www.unpac.me/results/285a345d-d9a6-4e3f-8e3e-5b270711284b/
SH256 hash:
dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5
MD5 hash:
13aedce38d8c0e95dcca37806c0ede7d
SHA1 hash:
df375c5a846e6f52fc806fe13b800170fea040ed
Link:
https://www.unpac.me/results/285a345d-d9a6-4e3f-8e3e-5b270711284b/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dea2eee60b2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383276/

Comments