MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0
SHA3-384 hash:	0a5cfeb3dd6a06c3a615e8738ac5fc413c8d9598d644fdaff4ff3fb9e338d2cb92bf38d0c8c9582a076578d921f1bbb9
SHA1 hash:	358ce1437d5b22cebefeafa291f409dc8fff5c7c
MD5 hash:	dc4a440af903b76ea8dbf989e3ec229a
humanhash:	echo-washington-uniform-low
File name:	INQUIRY.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	935'424 bytes
First seen:	2020-11-05 19:42:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:L3iR1zKoVYVWMFs9oORLqlM8YKL2Uqsf:L33RzZzR2Uqw
TLSH	A715BFF66285EB5AC80F043FF84B256183D9DF2E99F8904647C5F119137C6CEA6AC48B
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/83846/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-05 19:41:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4bsm24fomrt23hadik2hkdfoj63irrllbwie5jajdkqhjylu3tya._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201105-a5vwe7stde/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0

MD5 hash:

dc4a440af903b76ea8dbf989e3ec229a

SHA1 hash:

358ce1437d5b22cebefeafa291f409dc8fff5c7c

Link:

https://www.unpac.me/results/ab1afca6-5c93-4403-9f70-9ab670dd242b/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/ab1afca6-5c93-4403-9f70-9ab670dd242b/

SH256 hash:

0dec38e39c576acc55328520f2c52d664d939f97dd62eb0bc8498244ce75823c

MD5 hash:

750100284ab1e842d72a0340a4fd4b8f

SHA1 hash:

77bab93f502d45bde7475c2e6ecf66d089b7c291

Link:

https://www.unpac.me/results/ab1afca6-5c93-4403-9f70-9ab670dd242b/

SH256 hash:

fd92b4a7e4d0776bec7e957cbd9187074c00dc8d839a578d4e2c64a0be0eb2ae

MD5 hash:

49d1bb7cfea9f969730e78994ff4f372

SHA1 hash:

f6ccacfebf28f6316326d71eca7da2086fd20816

Link:

https://www.unpac.me/results/ab1afca6-5c93-4403-9f70-9ab670dd242b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/83846/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample