MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1cde8ed12d9fdac592f8abde8d614077ba659c52c4d6584046690d03c825668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1cde8ed12d9fdac592f8abde8d614077ba659c52c4d6584046690d03c825668
SHA3-384 hash: b5c724304fc719e89b7fdb810011f13c63ab0699fe043b472b44ee8e8e591f0c9d96713a34c38429938bf913557c4537
SHA1 hash: 07a65c8215e2f3797c63398852fc6e9bc70e366f
MD5 hash: 3e1e27b5fc6dda21675ad901ab59c391
humanhash: princess-juliet-september-ohio
File name:3e1e27b5fc6dda21675ad901ab59c391
Download: download sample
Signature AgentTesla
Create hunting rule
File size:499'712 bytes
First seen:2021-11-12 11:52:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ihP+btD00Mp1fK6ZQ5DJzKoYLAFmKpfaD:ihPYC0wKNz0Agqa
Threatray 13'559 similar samples on MalwareBazaar
TLSH T190B4F1263A54DE56D23A46BACCAE901003FCFD2A3972C71D7FCC738F69623115CA465A
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205288/
Detection(s):
Win.Packed.Msilzilla-9907552-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/618e55a0a00afa9663a507db/reports/e90482ef-bfeb-4671-8320-a475f00420c6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23c234ce-4e98-4b22-a0ab-e26f87061629
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888090
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1cde8ed12d9fdac592f8abde8d614077ba659c52c4d6584046690d03c825668/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 11:45:25 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hg6r3is3h62ywjprk66rvqua552mwoffrgwlbaem2inapeckzua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b7319439e569c14c19ca9ebef113ac820f5786d81c99e720ef702d5b47a912a
AgentTesla
41f7130776c2f7a7bd3ab1902d51fa620666168535f49a483e236655ce1a663d
AgentTesla
47e6fd93cc7d879c970280e4bae5c2bad2ee63e4c9838a453c56dc5202a98bdd
AgentTesla
afc59eda3cd3ae17fcb0217e3e63779accc7d539cb9ea0cc9e72003c2b9ef51a
AgentTesla
be0a4ed3c561e6899b664ed912d709c0f7e928ee80ac0c7f3e05cb6e22aeaddf
AgentTesla
fb576650879372d9663097106467acbdb1fe14df845cc9acaf6cf2141b1c8ec4
AgentTesla
+ 13'549 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211112-n2axsadch7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
91655863c7906a8d20c7c782144f553c027843a72f2fdab2b1ccc80808083af0
MD5 hash:
b5044dd0e9c91b1a9185d491da7d07f2
SHA1 hash:
a9ff8129771d85f77b6a145f750c70e53f51125e
Link:
https://www.unpac.me/results/cf24b1d6-2a84-43f6-8221-e7598a3d2036/
SH256 hash:
50874f908db5c2d1065e8de1c36c3722ed67ad95b3d8cb16281151508d2317f9
MD5 hash:
534951e1e2ed8f09e10edaf9cd9dbbac
SHA1 hash:
a1d414a693080a562b602dd06a645acc8a304ab8
Link:
https://www.unpac.me/results/cf24b1d6-2a84-43f6-8221-e7598a3d2036/
SH256 hash:
a6d9d627e22cd8349948ba7269e66462ec43740dd36877dab43194125550ee19
MD5 hash:
8e1c114da671bc4d82dbcdf0eedf97d6
SHA1 hash:
2ba501c7abbc3876d65be1b5c4bfc725bf5becbf
Link:
https://www.unpac.me/results/cf24b1d6-2a84-43f6-8221-e7598a3d2036/
SH256 hash:
e1cde8ed12d9fdac592f8abde8d614077ba659c52c4d6584046690d03c825668
MD5 hash:
3e1e27b5fc6dda21675ad901ab59c391
SHA1 hash:
07a65c8215e2f3797c63398852fc6e9bc70e366f
Link:
https://www.unpac.me/results/cf24b1d6-2a84-43f6-8221-e7598a3d2036/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e1cde8ed12d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1cde8ed12d9fdac592f8abde8d614077ba659c52c4d6584046690d03c825668

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e1cde8ed12d9fdac592f8abde8d614077ba659c52c4d6584046690d03c825668

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1779682/
Cape
Cape
https://www.capesandbox.com/analysis/205288/

Comments


Avatar
zbet commented on 2021-11-12 11:52:26 UTC

url : hxxp://tazxter.com/ben/ben.exe