MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe
SHA3-384 hash:	2b8a536cac174d40764972eee63bfeb1e5899dd128f2132acc4bf7b0e13aa692fe6e7b01b41342fa7c9f62c60ba1e006
SHA1 hash:	9a8e5c548e6b90308b315c499f3892435fd565a1
MD5 hash:	f265645912ecbfe1192447ae628a41ff
humanhash:	lactose-fish-seven-cola
File name:	FedEx Receipt_AWB# 860142350716.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	652'800 bytes
First seen:	2023-12-14 07:23:38 UTC
Last seen:	2023-12-14 09:23:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:grG0oLtFqk1jXPydZvqdq77yaxndqZchbTM9Vq33mvHi1wV7:gFg7qk1zAvqy7DGZUk9VWm/i1wV
TLSH	T11BD423053BD4D763CE6E62F9A131298B17F1A40A7363EBADECA870910993F91D20D477
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	AgentTesla exe FedEx

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

308

Origin country :

NL

Vendor Threat Intelligence

CAPE Sandbox AgentTesla

Detection:

AgentTesla

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/467393/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Inject4.59820.7667.7170.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Reading critical registry keys

Setting a keyboard event handler

Stealing user critical data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/657aad973636548f374f262f/reports/72ec777d-dd0a-4b03-992f-9bdd83ef6601/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1983e8d7-42a3-4e8a-9bf7-5e457f2df891

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361978

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.AgentTesla

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-14 01:46:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

7

AV detection:

18 of 23 (78.26%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4gkwyx2pafksqonwmbsgcydhvnsvkcoh7qfk4zajwsi2hiltzo7a._file

Threatray agenttesla_v4 agenttesla

Verdict:

malicious

Label(s):

agenttesla_v4

Alert

Create hunting rule

agenttesla

Alert

Create hunting rule

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231214-h8dz5adea6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

UnpacMe AgentTesla win_agent_tesla_g2 INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Agenttesla_type2 INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients INDICATOR_EXE_Packed_GEN01 INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Unpacked files

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/1f0e6587-ea34-4bd1-a068-5a2194d17e9a/

SH256 hash:

3970a03f6f0ee382b983839bdc80680cea01887bbd676fa0c0760c857f708117

MD5 hash:

93d66584ba62b1770c8bc93e14474b36

SHA1 hash:

7d6d2cb55beb3a61f41f65d6113e777c46b3743f

Link:

https://www.unpac.me/results/1f0e6587-ea34-4bd1-a068-5a2194d17e9a/

SH256 hash:

0cb3051a80a0515ce715b71fdf64abebfb8c71b9814903cb9abcf16c0403f62b

MD5 hash:

d46e60b1428677214fb5301517a5af45

SHA1 hash:

5e271d7a8a5e0e1ac3a56ae0a5a40c74140a7754

Detections:

AgentTesla

Alert

Create hunting rule

win_agent_tesla_g2

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Alert

Create hunting rule

Agenttesla_type2

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_Binary_References_Browsers

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Alert

Create hunting rule

INDICATOR_EXE_Packed_GEN01

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Alert

Create hunting rule

Link:

https://www.unpac.me/results/1f0e6587-ea34-4bd1-a068-5a2194d17e9a/

Parent samples :

e0f6280a9e4d2679383003e3037fe05856e295466bf377351c8d6a0b998f0b1a
51dd6e435a4a464b9bee1ffd8f6d5282614399b351109efe1fa886f4147c58e4
5e34fe6ea5ee7b8093f2b8e827441b7ccdf1cd11480bfd974e38ce047d91058f
79852db3ea78ca8c3b3cadef3c3283f4c598314fb10c4cc065077d9f02ce3f4a
2091a13a7a8053bf245ba38b61cbbfc4b383f7503a121e178fb250112f99bd44
8a1aea514b658161770c47e07c649ee007937805cb5039bc90904bb85783dbff
5f010877aa2a19af0395aa9faa351df8d2c13ab68b61063e34edfe17c2d75a0f
348fd89e059afed284fb7b3a0014319844a9ea35b8d058e89e171b9ab73976ef
6f13cda874c2c4679ecc9be84fb66cb7aeb0e41175257ff093f353206ee07a2a
5dd670d5327b9d83c3c05af6398f3c468f7d5ce97752f657f2794545ab39b458
3bb6978b8ad3c53b2be51697f42c113fb6e58e168258fa58bd6e1985c56dc46d
e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe

SH256 hash:

bba03f84b01df6772053f2ae70c6387522fd4a772fa4498afdd1f2c246e85415

MD5 hash:

ff641d1ab661288cf7258a39885ed5d6

SHA1 hash:

2bb98f966fa60e70377fc0b5426b4daff7eb0889

Link:

https://www.unpac.me/results/1f0e6587-ea34-4bd1-a068-5a2194d17e9a/

SH256 hash:

e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe

MD5 hash:

f265645912ecbfe1192447ae628a41ff

SHA1 hash:

9a8e5c548e6b90308b315c499f3892435fd565a1

Link:

https://www.unpac.me/results/1f0e6587-ea34-4bd1-a068-5a2194d17e9a/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e1956c5f4f01/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe e1956c5f4f01552839b66064616067ab655509c7fc0aae6409b491a3a173cbbe

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/467393/