MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1cb458941028ca2b7fd0db0b472ccad320b893bd073f802f545cda447855084. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1cb458941028ca2b7fd0db0b472ccad320b893bd073f802f545cda447855084
SHA3-384 hash: a9e45554ee6ce08132ef2559178e00d86e80609c1a0ff73a42ac3686b2720e5391e63bc868f0f2a31a27c8b8ee5d9930
SHA1 hash: ed521ad1641ec72352540c16eb3a254513b2d933
MD5 hash: 93e304dded1eaa2893637480f45d27f0
humanhash: minnesota-friend-spring-south
File name:2mins27secs V0icemail from 03457 404.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:525'312 bytes
First seen:2023-01-11 13:40:11 UTC
Last seen:2023-01-11 15:29:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:wNPthDCHUgI3/GAEiGH2KJYt7d41WkyFym+8ubkw:wNVhC0gIjGWKex+bkw
Threatray 8'036 similar samples on MalwareBazaar
TLSH T1D4B4DF8F58D0F520EFC41575D242A8CC0E772F059AFAE89E8C937D6F35209DD6AA058B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2mins27secs V0icemail from 03457 404.exe
Verdict:
Malicious activity
Analysis date:
2023-01-11 13:40:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e3f83c0-c989-4e17-b3cd-1e017e6484af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351949/
Detection(s):
Can't access file ERROR
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63bebc70fc9525ae8a4546ab/reports/80ac85f1-895b-4c6a-82d7-1d3ce826a895/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e29ca4d-b5ae-49e5-8ac8-038f7f00d49b
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149588
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782320 Sample: 2mins27secs V0icemail from ... Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 12 other signatures 2->62 7 2mins27secs V0icemail from 03457 404.exe 7 2->7         started        11 prLvQs.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\Roaming\prLvQs.exe, PE32 7->38 dropped 40 C:\Users\user\...\prLvQs.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpEA12.tmp, XML 7->42 dropped 44 2mins27secs V0icem...m 03457 404.exe.log, ASCII 7->44 dropped 64 Adds a directory exclusion to Windows Defender 7->64 13 powershell.exe 18 7->13         started        15 2mins27secs V0icemail from 03457 404.exe 15 2 7->15         started        19 powershell.exe 19 7->19         started        27 2 other processes 7->27 66 Multi AV Scanner detection for dropped file 11->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->68 70 May check the online IP address of the machine 11->70 72 2 other signatures 11->72 21 prLvQs.exe 11->21         started        23 schtasks.exe 11->23         started        25 prLvQs.exe 11->25         started        signatures5 process6 dnsIp7 29 conhost.exe 13->29         started        46 api4.ipify.org 64.185.227.156, 443, 49698, 49701 WEBNXUS United States 15->46 48 api.ipify.org 15->48 32 conhost.exe 19->32         started        50 api.ipify.org 21->50 52 Tries to steal Mail credentials (via file / registry access) 21->52 54 Tries to harvest and steal browser information (history, passwords, etc) 21->54 34 conhost.exe 23->34         started        36 conhost.exe 27->36         started        signatures8 process9 signatures10 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 29->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 29->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1cb458941028ca2b7fd0db0b472ccad320b893bd073f802f545cda447855084/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 13:41:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hfulckbakgkfn75bwyli4wmvuzaxcj32bz7qaxvixg2ir4fkcca._file
Verdict:
malicious
Similar samples:
0aef16a40e14a956a65402dbaa15033bf89533c285e42ad96642254197efb6ec
AgentTesla
3e5978c46162ecb05c51d7fff9ec6786ac453fff4dba91d906f9ec2f764d87af
AgentTesla
4016961405e5f7b07d577e28501a8e185adba690a75425c68ef4fa5b5afebc74
AgentTesla
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
AgentTesla
5d39bb6fc1ee7f5748142920119b892517290db9a8f832f99ae31dc7245142d5
AgentTesla
8d12f8cc8128ab953c82c6dd67bbccea6e9b3e28c3dfd8a4379ebfe6d141096c
AgentTesla
b6712885245cad12ca99d6746183646f3634e65e253165f068e936a8ac60905c
AgentTesla
dfe7a0c2e727c18f17644d33c1db7547943da38d8c05b7103f865c88b6279896
AgentTesla
e19bcbf0c3ca0fe5e246cede2ef4ee264d0908faf4ca4b39aeb687c443f85f91
AgentTesla
f2a134b43aaa44cfba190809ea5923be0fede133cfee79f68a9308bf5f80feac
AgentTesla
+ 8'026 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230111-qy359sdb72/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ec6f293-ff70-46d0-b81b-a859a5e1f5d5
Unpacked files
SH256 hash:
d5718cfc5ded3ac791f539fab3a5559384b2a1694a0dc689f58e98e57bed18aa
MD5 hash:
207f7ee2a146b265261dbb94a29b06a9
SHA1 hash:
c2d0954cd772f6d6e6c020796fe90f3aee4c18bb
Link:
https://www.unpac.me/results/6723b004-1ca6-45c7-8dd2-073de485d3b8/
SH256 hash:
0144ae8817f5fbe960b24d5cbe16684d48ed3ddfdf88e0c32d53a2961e2b0e0c
MD5 hash:
3e2415b0b22c8c13a6103ded8893f36c
SHA1 hash:
b89dd58d57b31d6ba7d6a87aad7865ac222c6e27
Link:
https://www.unpac.me/results/6723b004-1ca6-45c7-8dd2-073de485d3b8/
SH256 hash:
231d3ad6e558cd5c0d624f8979181f8aa2a21973828aadcae105523284f9d74a
MD5 hash:
572165371ae288df8eed27e05656ada6
SHA1 hash:
378e6f9511a1b1253eb6a2f1ed081ff801fac90b
Link:
https://www.unpac.me/results/6723b004-1ca6-45c7-8dd2-073de485d3b8/
SH256 hash:
28bd3d96071c12d49ab0d4d48646cbc614ecfa54d7e26380f1b3539fddec69c6
MD5 hash:
f0afa0b9520e267d323f7d3fb237b58c
SHA1 hash:
0a6acacd1c644bb500b4bbfa91a0224f3e74694c
Link:
https://www.unpac.me/results/6723b004-1ca6-45c7-8dd2-073de485d3b8/
SH256 hash:
59bf9d652fd837fbff2bdfb69b7b46d9a9a010b61132dee54ffcc3822ddaad1a
MD5 hash:
c77e769ad4e828a313e51393ab787fb7
SHA1 hash:
05d3a406aa2d7623fd4496adb30fc38b0e103e4b
Link:
https://www.unpac.me/results/6723b004-1ca6-45c7-8dd2-073de485d3b8/
SH256 hash:
e1cb458941028ca2b7fd0db0b472ccad320b893bd073f802f545cda447855084
MD5 hash:
93e304dded1eaa2893637480f45d27f0
SHA1 hash:
ed521ad1641ec72352540c16eb3a254513b2d933
Link:
https://www.unpac.me/results/6723b004-1ca6-45c7-8dd2-073de485d3b8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1cb45894102/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1cb458941028ca2b7fd0db0b472ccad320b893bd073f802f545cda447855084

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351949/

Comments