MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15
SHA3-384 hash: c237c98b6c0f29f410b75137c73fde50f34ebb740be97554fa43e1a5fed0fc1596884b24c47641717e0967151c7d7f71
SHA1 hash: 7c858439cee8de3eb09443bd65f706ce94451cfe
MD5 hash: 5894c2a089c25a7a7dc24c26e27496af
humanhash: wisconsin-ack-fourteen-snake
File name:квитанция об оплате.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:996'864 bytes
First seen:2023-12-02 16:38:53 UTC
Last seen:2023-12-02 18:26:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:+3copox4TQJRw04grHB+MkWotBgbPoPgn80pdKQ1VUF+UoNoeApXL4fMxZr:7e/WRw0Rd+MhwB+Qk97rN9+eApEfS
Threatray 3'642 similar samples on MalwareBazaar
TLSH T182254CD1B190889AED6B07F1AD2AE53024A37E9D54B4810C55DEBF1B76B3342209FE1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.14484.17245.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78ca48da-de8d-4348-a9f4-a7de320e86c8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352161
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 08:41:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bkppc3qldn4gftn6zedz4zcfccqfsqim3npmqqvatkxkznavikq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0c0b8cfcdae8cc7d8a0b193e9e14d060138396c1c3635ba1f346b2836a51de0b
AgentTesla
2100dd57077739bf596266ed7d339e7d7ab676715720e81fe8005c3f0c1a870f
AgentTesla
25230f90c2a568247464b943d281c7bf9df13fb2e3b5c3b4eefa46d5d3c618f5
AgentTesla
3bbcc99948c41ba22df2ff66b4f645f11931ca52bd07d78583db931016da2675
AgentTesla
ad7cecbbae93e5f9899d2600ce0a0516b185c7b31f778916be4c534beba1cc8b
AgentTesla
e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15
AgentTesla
+ 3'632 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231202-t5zcfaea3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
51674486612e300fde800d8b11e5c3a4d3d2d164d903dcd64bcc42226b05c81a
MD5 hash:
ef1f42e650562f4ee6a1fecec8181997
SHA1 hash:
f36f5bae4eb74636233ea23fbaa6b97085140bfa
Link:
https://www.unpac.me/results/3e4950ae-62e5-4366-9414-4e945585403f/
SH256 hash:
dc2a31ebcef7e1b02ef0b2237da0e126dfebaa6a6336f829c0194b89793e239b
MD5 hash:
3d9dd0ed4f6deb6ad320d84fa5a40542
SHA1 hash:
f2daf79f4bfd1118856e13e1487c99259415d39e
Link:
https://www.unpac.me/results/3e4950ae-62e5-4366-9414-4e945585403f/
SH256 hash:
2510fb538daab5eb178ed96985a175dc1350fecf8341a83db25dc1a234e938cd
MD5 hash:
64dd577cef2723e1be3de949167d1e74
SHA1 hash:
6cde4b4a89902cab2373b02b2d971bb4d1ef05e4
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/3e4950ae-62e5-4366-9414-4e945585403f/
SH256 hash:
ff83da4cbbe09d3a7dd2ac088be0c2fd9bbc4aaf829f5bf6b7049de96f7e2a29
MD5 hash:
6a9ab7b20753246a9317c68a4e76a04c
SHA1 hash:
5dfb65e9088c7645efca0a0f141d4b814dc1770b
Link:
https://www.unpac.me/results/3e4950ae-62e5-4366-9414-4e945585403f/
SH256 hash:
e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15
MD5 hash:
5894c2a089c25a7a7dc24c26e27496af
SHA1 hash:
7c858439cee8de3eb09443bd65f706ce94451cfe
Link:
https://www.unpac.me/results/3e4950ae-62e5-4366-9414-4e945585403f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e054f78b7058dbc3166df6483cf322288502ca0866daf6421504d57565a0aa15

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments