MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7
SHA3-384 hash: fd782b7ef520684afd0b625138a9468282e9ffef2cf453e67e6b639f3b0295b54804a0295ebea43cd58a7d92a7074cf8
SHA1 hash: 12371d0e271f5dda7b04b15b7e231cbd12a2d4ef
MD5 hash: a5d46206473c7fe486cd1a25bfa85bec
humanhash: carbon-jig-delaware-july
File name:scan20230717_16422889(1)pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:663'552 bytes
First seen:2023-07-28 13:29:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'661 x Formbook, 12'252 x SnakeKeylogger)
ssdeep 12288:aAbgjjvFx2SBV290YFHW0oPL+nO0lxUxtfPFtO8fa+RNiZ:aKgjjLBV2nFX4cO0LUfPFkd+ru
TLSH T1DCE4F051F2681F9BD43653F94825A2045BB6BB6E113CD6085EF6B4C722B2FC10E46F2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scan20230717_16422889(1)pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-28 13:32:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/722ed5ef-06fa-483d-a68a-713c95461928

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/435914/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2211.7619.23795.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64c3c2dc80fc6008e92218ba/reports/16da2e22-58a2-46b1-a486-c6b92698fade/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9198ebab-1151-4e54-8aa5-0fd4bd22080f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281846
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1281846 Sample: scan20230717_16422889(1)pdf.exe Startdate: 28/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 7 scan20230717_16422889(1)pdf.exe 7 2->7         started        11 pOADBW.exe 4 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\pOADBW.exe, PE32 7->35 dropped 37 C:\Users\user\...\pOADBW.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp5A75.tmp, XML 7->39 dropped 41 C:\...\scan20230717_16422889(1)pdf.exe.log, ASCII 7->41 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 scan20230717_16422889(1)pdf.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 23 pOADBW.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 sculeprofi.ro 89.42.218.190, 49706, 49709, 587 ROMARGRO Romania 13->43 45 mail.sculeprofi.ro 13->45 47 192.168.2.1 unknown unknown 13->47 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        49 mail.sculeprofi.ro 23->49 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->71 73 Tries to steal Mail credentials (via file / registry access) 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-28 13:30:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4im6bqfc4nj5nhgfak2vmbig2gbkocqtidwlifjttjlekzcck2tq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230728-qrtcgsde74/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2a79a417b8219faf68290b8f03912e71f780fdc2de43d7dfc019c22e9d7d0d3e
MD5 hash:
4644bd21b5353a548c61fe71cb075fd5
SHA1 hash:
fc76f8966d8d871a527a8ecac9803c2003c2b1cd
Link:
https://www.unpac.me/results/fa1e577d-5944-49e9-be02-aa163352ca51/
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/fa1e577d-5944-49e9-be02-aa163352ca51/
SH256 hash:
312fa8991908c7dfed0fb9fe822b222fceb3412ccb156d491a7535b24c8e8ea3
MD5 hash:
49d29cf39f247df5e1f962c5db87d7db
SHA1 hash:
d718200b0884faf2372365c5f43f873e45506998
Link:
https://www.unpac.me/results/fa1e577d-5944-49e9-be02-aa163352ca51/
SH256 hash:
17414b73bdce17c72c55300aaf6dbdcf07a36d5ec2a6c483575995501dea61fd
MD5 hash:
7fa0dbb3e7186db1ead32a38073025b3
SHA1 hash:
b073d2c6a0208b2701bc67931dffc0a9bf98a865
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/fa1e577d-5944-49e9-be02-aa163352ca51/
Parent samples :
8870531d4e128acc53f46c599578c3b3b6ae82712bfe4a7c008332b4394cb331
ef9a39b1d91ce4e4b8ec5da6cd906fddb71837ba7438b13f96ea095d6102673d
5d68001f1a762921f2203524901bc239c7b5d5da040f128b549a73740bf79a36
e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7
SH256 hash:
e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7
MD5 hash:
a5d46206473c7fe486cd1a25bfa85bec
SHA1 hash:
12371d0e271f5dda7b04b15b7e231cbd12a2d4ef
Link:
https://www.unpac.me/results/fa1e577d-5944-49e9-be02-aa163352ca51/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e219e0c0a2e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e219e0c0a2e353d69cc502b5560506d182a70a1340ecb415339a5645644256a7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/435914/

Comments