MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0ed5480649bac717c4ba8fd6e9ea5abb907870cfeb125d13de7e5fedf8fae7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0ed5480649bac717c4ba8fd6e9ea5abb907870cfeb125d13de7e5fedf8fae7d
SHA3-384 hash: 09e8c1d49d5f92d6f7465305c22c435e0455befe824a7ccc1c3e3edc8fd4c23c8ac6aee6734ec135fc33f9c2318fb450
SHA1 hash: b9a25eabb89cdbcf747a7cf459bf371788a2bf02
MD5 hash: 30443cbfdff4997867216993a2e03e6a
humanhash: xray-nineteen-missouri-fanta
File name:Scanned #00461070823.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:646'144 bytes
First seen:2023-08-15 12:12:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7hBpkogUNWIXK0N3TzJuv8I7cMcSfMPqvhYRqu7dtP:N2ujzJu9cMVfJJfu7L
Threatray 5'586 similar samples on MalwareBazaar
TLSH T16DD42212554CDA41EB3C4BFB38644A2C47B3B35E4264F2AE8FA55CDF4467F0E9A60A07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1000107171100000 (8 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Scanned #00461070823.exe
Verdict:
Malicious activity
Analysis date:
2023-08-15 12:14:44 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/cab99625-481a-45be-93f6-6d22b97daf50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442762/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1995.1729.20847.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e0ed5480649bac717c4ba8fd6e9ea5abb907870cfeb125d13de7e5fedf8fae7d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c490f0bc-a4e6-4686-b11c-38baf26846dd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291379
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0ed5480649bac717c4ba8fd6e9ea5abb907870cfeb125d13de7e5fedf8fae7d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 02:19:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dwvjadetowhc7clvd6w5hvfvo4qpbym72ysluj547s75x4pvz6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ed77fd89bf16db78b75431e59d9e15c2a284563cb77bc69d49a45823accca80
AgentTesla
332bd128b3b9a33e9d363b6a9578739d94471de4fe26d931bcff80219fcf4e9a
AgentTesla
36c15da245c3b9a2bc01bf408f5d9ee73f484d9a010a41a09a8ddf552eed7dc1
AgentTesla
5aa663f88bbd1d58ab129a4ded631a1d93ce4e13a5bfe7e0d933ddd1453d55a4
AgentTesla
696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae
AgentTesla
8c51d1cb1d28a45a81fca1a9f810215067cf815e19428debefcf9070491da053
AgentTesla
8d83bca79f2bc2c8de276322813a9d775891c8445191f196c302f0965ba62ba3
AgentTesla
ab701ac288408c45b6a0d0d7cc7f71b44309cd32b64544a3244511098ee20bf6
AgentTesla
f03f1ae3d3d6bde555d9bc841f8b11ee27459cb9937ae50298b24acb3190552e
AgentTesla
+ 5'576 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230815-pdq5jaaf28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
605ba591578790f338e0a1fe608c7ad66c03bd6a55c34f8dc27fc35073013c4e
MD5 hash:
443463aee5a7d47958032e07f3ee8b84
SHA1 hash:
ea641a709b76c4ca16478fc72628aedbed505eae
Link:
https://www.unpac.me/results/7f623db5-d2bd-477a-ab8e-5f8632fa650e/
SH256 hash:
2abc6408049a8b36750a82ce53b9f066cc47b2c0687a841947c8e26892087e72
MD5 hash:
7d1e46d14d540b6a653bb9c7989750dd
SHA1 hash:
c8b9053121b5e46c6617b616b38b65406a99267c
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/7f623db5-d2bd-477a-ab8e-5f8632fa650e/
Parent samples :
0ed77fd89bf16db78b75431e59d9e15c2a284563cb77bc69d49a45823accca80
5aa663f88bbd1d58ab129a4ded631a1d93ce4e13a5bfe7e0d933ddd1453d55a4
e0ed5480649bac717c4ba8fd6e9ea5abb907870cfeb125d13de7e5fedf8fae7d
SH256 hash:
685c9d7e1b600153e470b3addb11ae0f0a4eb32818c724385f4674bad5ae8453
MD5 hash:
12dadeb5efa2ad0d1f487b1b038e8c4a
SHA1 hash:
537a1a0a5bf300b1117f490f250423ce4e3e740b
Link:
https://www.unpac.me/results/7f623db5-d2bd-477a-ab8e-5f8632fa650e/
SH256 hash:
acb4f2181a20567f3a024b4919e95a204633c49dd5fa694e73b2c508b2517f62
MD5 hash:
54382de0119d4daa02ec3edd0312168d
SHA1 hash:
0451e80a80e731f260afd2e7c60d9d79069b0a3b
Link:
https://www.unpac.me/results/7f623db5-d2bd-477a-ab8e-5f8632fa650e/
SH256 hash:
e0ed5480649bac717c4ba8fd6e9ea5abb907870cfeb125d13de7e5fedf8fae7d
MD5 hash:
30443cbfdff4997867216993a2e03e6a
SHA1 hash:
b9a25eabb89cdbcf747a7cf459bf371788a2bf02
Link:
https://www.unpac.me/results/7f623db5-d2bd-477a-ab8e-5f8632fa650e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 865da6b7f453c9d7a5d9eef91b61eaec863a10fba0fe377541ac58bb42da6669

AgentTesla

Executable exe e0ed5480649bac717c4ba8fd6e9ea5abb907870cfeb125d13de7e5fedf8fae7d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 865da6b7f453c9d7a5d9eef91b61eaec863a10fba0fe377541ac58bb42da6669
Cape
Cape
https://www.capesandbox.com/analysis/442762/
  
Dropped by
MD5 39be2b832ad508a27883a033a11535d9

Comments