MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d
SHA3-384 hash: 112c3fbf1098b0ce74bff68f8d64a30caee7ff3a4a0b4e6e573e7b52c692639931bed17697ad86432cad0c0ec055db55
SHA1 hash: aeca8f699d3363a33fa469244026904008a6adbe
MD5 hash: f41c79d711133f5df0489e2e624ea8a6
humanhash: fifteen-summer-florida-three
File name:SecuriteInfo.com.Trojan.Inject4.48217.30341.13985
Download: download sample
Signature AgentTesla
Create hunting rule
File size:949'760 bytes
First seen:2022-12-06 06:27:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:uc+iCP6hW5EQz8SioOhok4DhArZJ3WOYnjEXcR3k5flwj2bO6jmangKZ/nXt7vie:F+NY4E6VOhwS1GjJ3k5fWySw
Threatray 23'698 similar samples on MalwareBazaar
TLSH T10D15C51F4EC756DCEE3747B4F271BBB83E627A81A8615C051CA0B072027E52DAB3E951
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 24e4c4d4d4f0c4c4 (2 x AgentTesla, 1 x Formbook)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.Inject4.48217.30341.13985
Verdict:
Malicious activity
Analysis date:
2022-12-06 06:32:19 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/b8a832ce-9c76-4da0-bbde-aa117ac9d0cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343204/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.30341.13985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638ee0f69a505ad9423d969f/reports/d09b8858-0503-40e5-870c-28c6c0c2d113/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02ac10e6-8979-46d7-b75f-c75ca21b2bca
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1128649
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 761373 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 06/12/2022 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Sigma detected: Scheduled temp file as task from temp location 2->74 76 7 other signatures 2->76 7 SecuriteInfo.com.Trojan.Inject4.48217.30341.13985.exe 7 2->7         started        11 esSJC.exe 2->11         started        13 JEXDDUqAy.exe 5 2->13         started        15 esSJC.exe 2->15         started        process3 file4 50 C:\Users\user\AppData\Roaming\JEXDDUqAy.exe, PE32 7->50 dropped 52 C:\Users\...\JEXDDUqAy.exe:Zone.Identifier, ASCII 7->52 dropped 54 C:\Users\user\AppData\Local\...\tmp9AE4.tmp, XML 7->54 dropped 56 SecuriteInfo.com.T...30341.13985.exe.log, ASCII 7->56 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->90 92 May check the online IP address of the machine 7->92 94 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->94 100 2 other signatures 7->100 17 SecuriteInfo.com.Trojan.Inject4.48217.30341.13985.exe 17 6 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        96 Multi AV Scanner detection for dropped file 11->96 98 Machine Learning detection for dropped file 11->98 26 esSJC.exe 11->26         started        28 schtasks.exe 11->28         started        36 2 other processes 11->36 30 JEXDDUqAy.exe 13->30         started        32 schtasks.exe 13->32         started        34 JEXDDUqAy.exe 13->34         started        signatures5 process6 dnsIp7 58 ftp.deconbrio.com 143.95.110.250, 21, 31320, 39648 ASMALLORANGE1US United States 17->58 60 api.ipify.org.herokudns.com 3.220.57.224, 443, 49696 AMAZON-AESUS United States 17->60 68 2 other IPs or domains 17->68 46 C:\Users\user\AppData\Roaming\...\esSJC.exe, PE32 17->46 dropped 48 C:\Users\user\...\esSJC.exe:Zone.Identifier, ASCII 17->48 dropped 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->78 80 Tries to steal Mail credentials (via file / registry access) 17->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->82 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        62 api.ipify.org 26->62 84 Tries to harvest and steal ftp login credentials 26->84 86 Tries to harvest and steal browser information (history, passwords, etc) 26->86 88 Installs a global keyboard hook 26->88 42 conhost.exe 28->42         started        64 3.232.242.170, 443, 49699, 49700 AMAZON-AESUS United States 30->64 66 api.ipify.org 30->66 44 conhost.exe 32->44         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 04:28:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ccb5ihtyzg6dnitlru2qqopmm73nqntizbjslgti5gp4u6id56q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
458fefa707435c36315bf410b3318c34a83da7e4bb2429986ba4ab95986d9d11
AgentTesla
63455805dccef839a74b781e13ad519160d0e0db6ef96af2cdf2e74de51be7ea
AgentTesla
bc07910ce2ed3c7b871b6b587285211c2877c99f0a49be49fdf71b4419ada13f
AgentTesla
c6e23700b04887686fb5556f432e9cf4c29181cfffbb135a50dc09124664ded0
AgentTesla
e3f743fb706abf616add3cf15faa3ebcb36b14c400952afd37485176e71eaa32
AgentTesla
edeb90f2504b6baa926fe916b136109cd1bc6091cb1c0c75e6010cd6f2f73938
AgentTesla
+ 23'688 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221206-g8bz4abh84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
509567b7ff1fe8a4f690297f9767633dad8f48588d02f9429dbd32090774e6a0
MD5 hash:
b80935d19fad50a348f8148d38b8a2ee
SHA1 hash:
ff30e011d1bebd0d8cf3e32a6ecc66447c7a2c21
Link:
https://www.unpac.me/results/7df1b877-72e7-4c4f-a247-b31dc608ff53/
SH256 hash:
b903b19f9884e6fd39701e7216039d11e0cbac3bb52a1e21f3f16eb9fd2a7167
MD5 hash:
d8a2b8f2a4ba9e10bb7ba26133b4a662
SHA1 hash:
e2f45eefe90458ffc6a584372c234c7c024b8d11
Link:
https://www.unpac.me/results/7df1b877-72e7-4c4f-a247-b31dc608ff53/
SH256 hash:
73f9689ad58d937933388cbe0268a1888cca7b4b16ed2dc416efb1ca8265543c
MD5 hash:
0d5e05322b7695a661df0682e75fddde
SHA1 hash:
75bdd1e9f7e029c9c3150a7749305943b738306e
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/7df1b877-72e7-4c4f-a247-b31dc608ff53/
Parent samples :
c6e23700b04887686fb5556f432e9cf4c29181cfffbb135a50dc09124664ded0
edeb90f2504b6baa926fe916b136109cd1bc6091cb1c0c75e6010cd6f2f73938
3d56a03b999ae6e936a1524b6b59aae00273a4bcfa41497b57b1ea9d5ebadd8b
e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d
99db6e23457a904ce44e0f40846810026bfd85542099ccb5f37ff47589ace258
SH256 hash:
2b61b0d45e7fad20f98c7e90bebb7dc09a10394243df41e602a159bef362a687
MD5 hash:
c11b2c95b0baa9c0441ec64467fd6208
SHA1 hash:
5ccec7d823f233105d591f9fe10b67080dd0f280
Link:
https://www.unpac.me/results/7df1b877-72e7-4c4f-a247-b31dc608ff53/
SH256 hash:
d7ab7750b563b1a7fa8ad690d8ba43ccf2ddae7da05c77cea326d24f28902a3e
MD5 hash:
d78ef162de535d1e289591e337dea00f
SHA1 hash:
34ac29951220c307dc473a7ab87881cffa0ffd37
Link:
https://www.unpac.me/results/7df1b877-72e7-4c4f-a247-b31dc608ff53/
SH256 hash:
e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d
MD5 hash:
f41c79d711133f5df0489e2e624ea8a6
SHA1 hash:
aeca8f699d3363a33fa469244026904008a6adbe
Link:
https://www.unpac.me/results/7df1b877-72e7-4c4f-a247-b31dc608ff53/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0841ea0f3c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343204/

Comments