MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e109301b68ba0c8059aa2723356b726495fde14a67c30e842e2da419f7921e8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 10 File information Comments

SHA256 hash:	e109301b68ba0c8059aa2723356b726495fde14a67c30e842e2da419f7921e8f
SHA3-384 hash:	af284de6a1410284cd5cdb85fd98521a0048f7647cb8a865cb7b65b7ad8404881305fd4071bf131be12f184aba14d945
SHA1 hash:	8b035b526fd47b52152eae58655a9f9c949df456
MD5 hash:	50bc83124c863343556a5f9aa901ca16
humanhash:	nitrogen-salami-victor-florida
File name:	CsssonsoleApp1.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	24'064 bytes
First seen:	2021-10-06 12:38:25 UTC
Last seen:	2021-10-06 13:48:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	384:tCJgSTq4vKSCMSZZoj5JYNJ6lnCZF4shRvxbq2UFGk+OqhsT:tcViZmjzYnP7RhRvxbq2Y1rqh0
Threatray	10'847 similar samples on MalwareBazaar
TLSH	T121B2D8C2F3C585A4FCBF0931643B9E440A6AFF35ACD52955399976234AB328192B331B
File icon (PE):
dhash icon	e0c4e2a2a4bcbcf8 (7 x AgentTesla, 2 x Formbook, 1 x SnakeKeylogger)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

malicious.exe

Verdict:

Malicious activity

Analysis date:

2021-10-06 07:23:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/12272139-d126-4799-a5ec-19072e8b4b04

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195464/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader43.36383.23233.24458.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Creating a file in the %temp% directory

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615d98e898a6280f3932e8dc/reports/bcd363b2-e47e-428c-8851-f2aef21d598a/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f4dfe427-cefa-4614-9423-b64bbce1de8c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/865583

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e109301b68ba0c8059aa2723356b726495fde14a67c30e842e2da419f7921e8f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-06 07:48:15 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4eetag3ixigiawnke4rtk23smsk73ykkm7bq5bbofwsbt54sd2hq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3

AgentTesla

641b9400b184d78647e1199826101f85762a534cbc79239a2d10a042b1a09651

AgentTesla

6766499aa0d71f9a187cabedfc430ed315927daf0c7c889e43f2e3d2354935e6

AgentTesla

69bd19f78f689f6e4852f3be6f0b2d75ce32a7f8145794a0248c665ccaa6d59a

AgentTesla

8bb23545488e0099f6bf018d0b105ab10ca079ece74a19dde9c4149b8d961bd3

AgentTesla

e20d6f8c4130be0491a8fe5069fc6aac30fb3d59eaa96dc8c67b6254609527cb

AgentTesla

e8d9c5a2ed13e0bb2afd61d3f0e3f55acc6693cac053ce47cf6768129f6b8b62

AgentTesla

+ 10'837 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/211006-pvl7xabba2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1948592798:AAEPqwEad_OoXqml68rtg1qHOajQ46ljm48/sendDocument

Unpacked files

SH256 hash:

e109301b68ba0c8059aa2723356b726495fde14a67c30e842e2da419f7921e8f

MD5 hash:

50bc83124c863343556a5f9aa901ca16

SHA1 hash:

8b035b526fd47b52152eae58655a9f9c949df456

Link:

https://www.unpac.me/results/71256cb7-b1cf-4912-9fc6-b5fb02d0bf1f/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e109301b68ba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/e109301b68ba0c8059aa2723356b726495fde14a67c30e842e2da419f7921e8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195464/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample