MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0f780fce95bdd6b45827ebe9aacfe0cc448b1a56dd3cfec901cfcd34c80000b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0f780fce95bdd6b45827ebe9aacfe0cc448b1a56dd3cfec901cfcd34c80000b
SHA3-384 hash: a090be8f999cf2fa6552229d44e3bd502f77304402fc81ea822168ab8d37db2c706934f5915987c5f309dd015e0c2214
SHA1 hash: 3919b0dbf6a8db0bc66aef95fdde70f05fe0c78f
MD5 hash: 2e420bcc16dd5991229327e3b8fe17a3
humanhash: kansas-seventeen-angel-indigo
File name:Due invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'066'496 bytes
First seen:2021-06-02 18:01:40 UTC
Last seen:2021-06-02 18:50:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0vXnXSEjZDOizHZ1CBjQt3p4+5RwBWRrzWAdz4n4/nuQ6FNVnCgEvT:aXiEtDOUHd5zRFRrqAqn4/n36FNVCg
Threatray 5'536 similar samples on MalwareBazaar
TLSH 7E358CF4F198A8F4D12ED731C3909CA9D761ADFE5303892D42A5FA8C1E2379ADF89405
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Due invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 18:08:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fd9599f-cedb-4455-979e-04286e217a9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164170/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796155
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 428553 Sample: Due invoice.exe Startdate: 02/06/2021 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 9 other signatures 2->36 7 Due invoice.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\...\rszIywGJNIXWUN.exe, PE32 7->20 dropped 22 C:\...\rszIywGJNIXWUN.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp65BC.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\Due invoice.exe.log, ASCII 7->26 dropped 38 Injects a PE file into a foreign processes 7->38 11 Due invoice.exe 2 7->11         started        13 schtasks.exe 1 7->13         started        signatures5 process6 process7 15 dw20.exe 22 6 11->15         started        18 conhost.exe 13->18         started        file8 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->28 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0f780fce95bdd6b45827ebe9aacfe0cc448b1a56dd3cfec901cfcd34c80000b/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-02 09:17:12 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4d3yb7hjlpowwrmcp27jvlh6btcermnfnxj473eqdt6ngteaaafq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09f4064dd3b5bd284fc8b32cb82efba6a81105df429ed2f3952defc51b292054
AgentTesla
19d30da245dde25341b93f658cd5afd30b8f6e306f5e95d66cfbbf07ef38614e
AgentTesla
252374da96a54c1c57e4cab1a10e0cd964285811181cf8bca5e7c5d8221c79ed
AgentTesla
29d767efcd7610fd87817923bc7637caf6da9a8471013b24cab1158d7f4f9de3
AgentTesla
5554778f65c46ca8c4d902cd07434cd5c37afdd661c396cd01a934e7d5f06527
AgentTesla
559e3b8d181b53aaa635d85d51ab890464485d6de1a9d1b76207da37502bdca4
AgentTesla
5c50223a21a66730d15d4921d3a0550ae834853cf8c606e237ce953e69c68c2d
AgentTesla
7bad6e78ddd8c598c2a00f17edcf9c149a0774043756cdd505a2d20be7e1e817
AgentTesla
9682bbc8bf34d89a749880d482e492d6c8c391f6a95abc465ec1376c8cd61514
AgentTesla
e6d1139a7a618504fd44cde9395d723dc9763ff6269a9d658d0c5c5db07a6116
AgentTesla
+ 5'526 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210602-4jvqndx95s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0f780fce95bdd6b45827ebe9aacfe0cc448b1a56dd3cfec901cfcd34c80000b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e0f780fce95bdd6b45827ebe9aacfe0cc448b1a56dd3cfec901cfcd34c80000b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164170/

Comments