MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8
SHA3-384 hash: dce8c7d7102743a8ff4d19b1ff27eb4422a89aa450187f3b40f7bc2eff4b5c8c2b2eaf96ef83fadbc4bc00dd08d32913
SHA1 hash: f2f1bca88de9819bf54119f786057b3cefc6b7bb
MD5 hash: c28fd7faa068e454a2b8563ae997d71c
humanhash: kentucky-texas-michigan-nevada
File name:c28fd7faa068e454a2b8563ae997d71c
Download: download sample
Signature AgentTesla
Create hunting rule
File size:660'992 bytes
First seen:2021-06-25 05:50:48 UTC
Last seen:2021-06-25 06:53:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:iS0rXJOL+VHGiUyZ+oUc0HlphAgSvN6F4RFqJ+Miq6gK1u2vaqvfNpc64oqqB:WXglyZ+oU7p23N66S+Mi5YB+fPcV1q
Threatray 7'164 similar samples on MalwareBazaar
TLSH C0E4120237968721DACC0132C4E7611007F6FBC7B2B3D69E7994569A1F433EA4E9ABC5
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c28fd7faa068e454a2b8563ae997d71c
Verdict:
No threats detected
Analysis date:
2021-06-25 05:52:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/38fc76b6-9621-4fca-88c6-ccdb07b00002

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168208/
Detection(s):
SecuriteInfo.com.Variant.Ursu.753702.17351.18060.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74aad9e7-bae1-4777-93c7-8b3e9c177dca
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807906
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 06:25:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4cv5snrat3ck4n5xukdpun6qmspijhugbfmcj7tpxgsx3j7rpk4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
masslogger
Create hunting rule
Similar samples:
1468687478e582cf4b4277a62b14e1024b99346047b965bf27b58fd0623624f9
AgentTesla
360afb4fd65a7dd9bd8856cbfc7a27e517326a732e41a63bb568f55cab40d488
AgentTesla
49c52b95a4e8fb4790b5549c90a4f2bb7895693b1054d82074d66ca8fc5f8162
AgentTesla
6001be9c4cdedd1240a0388bf3939a460c03a4b70034369a385cf29f2e0258b1
AgentTesla
a1602bb9c053093b2a5474766413543cc15fabdf9a6ad03032b8ec332dc8d6c6
AgentTesla
b1db9b45aa4903a5d9086d759765f4cb76a23e601c7bfd8133d440cace108307
AgentTesla
bd352fa9760813debe498bc11b633f43dd230ffc9e8e3e071cff13e471d0f77c
AgentTesla
da0bf78379603e0fca639199bb47fdb7e176833e512d24433df329b72aef33f5
AgentTesla
e5c32739c115f51b0d7bf70fe1c50ca8253ee7ce97ef53d97582417e4bc093cb
AgentTesla
f2d179f25d19becd3b4ac61a7222cb9cb6df11def0fac51df5a04bba4245dbee
AgentTesla
+ 7'154 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210625-kw6c3j4ama/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9d053ca0f0bdfe880de2740262a3045bdcfcab30dea450ec27b1b1fdc642da58
MD5 hash:
b1c5b9a3317c3bc8bcba2e1ffee99962
SHA1 hash:
ed78cad76ae5a224e7c8821f572371b56a426219
Link:
https://www.unpac.me/results/08e93f07-a9ca-4422-a635-10884051df7a/
SH256 hash:
e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8
MD5 hash:
c28fd7faa068e454a2b8563ae997d71c
SHA1 hash:
f2f1bca88de9819bf54119f786057b3cefc6b7bb
Link:
https://www.unpac.me/results/08e93f07-a9ca-4422-a635-10884051df7a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e0abd936209ec4ae37b7a286fa37d0649e849e86095824fe6fb9a57da7f17ab8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168208/

Comments