MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9
SHA3-384 hash: 5489339f72546c34e220b97714cf42d66556a8b733b9a4ef4a746747c740dd5e510b71db9d0f8ef49ac3ee95106b7055
SHA1 hash: d4be64a81ed25abdc6dc905f8b0724b0c3b2a1b4
MD5 hash: 694d036934436a54746956bb0b692e5e
humanhash: yellow-oranges-seven-two
File name:Shipping Document PP&BL Draft.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'584 bytes
First seen:2020-09-24 10:18:02 UTC
Last seen:2020-09-24 10:36:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 10c4e79da1631ecbb0bd1ff36adbf403 (3 x AgentTesla, 1 x Loki, 1 x AZORult)
ssdeep 12288:XOL2EC+KNAlnSVi4dVNkKQqdiuV7a+u9LjyXOZJRHKzY:XGRYAlnG7T9V7a71j8+JMc
Threatray 1'579 similar samples on MalwareBazaar
TLSH B2E48D22E3E1C437C3271539DC1B9774682ABE502928A846FBF5EF4C9F397813919297
Reporter JAMESWT_WT
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65311/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/474155
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-09-24 00:04:24 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ikq6fqncgukpel3hadac4pm52y5naqjzjoicokgqkynqkhtlleq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03150c9b34f3c06083c0af32c4fc038a5c059fdd8b19c927206df5961f40c189
AgentTesla
05793491a0160fba57cf1219dd69f0c49a1fd9a43cafe0f78590c1e526f298c6
AgentTesla
165a1197676a6b92b0086bbdb79a3b615c83ec9d686449b934c4475905608b2a
AgentTesla
19036261b89b27743d0b8c2353751f57b256357525068f67b166608b1eb33268
AgentTesla
25f63850c92faee81eaef4dfcf530a5e72689597d0e2b83b3e444e6a6d3ccce0
AgentTesla
43d7967618189443a76d5822903ae6133c4def90b5d695b138ac96679d00d87c
AgentTesla
5e0b3550098aeaef4722fe9d3299c218e399fb9d379c04336d70bd1be58f61d1
AgentTesla
718fc86c95456f531fb7ff1ab7d313376cb3db0ed2ef0469b175d1156659845a
AgentTesla
b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925
AgentTesla
d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c
AgentTesla
+ 1'569 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx spyware
Link:
https://tria.ge/reports/200924-ktkzqgelpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/65311/

Comments