MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310
SHA3-384 hash: 2790e79a598e97094a0781923055436a57e7b141637f6ab67db8ddca571daeeb5aeca4abff2d59769844588aa24c662d
SHA1 hash: 410bf6f20cb8d3815866b31c7c7d777fbccb6ea2
MD5 hash: 2a1545c3d87e97567f8b086860e5832b
humanhash: kitten-cardinal-sad-red
File name:Betaling,jpg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:811'520 bytes
First seen:2023-03-03 15:18:13 UTC
Last seen:2023-03-03 16:35:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:2wwt+2McUJrdRhT5js5HE2u08wvQW0iaGTf/YeOXv:qt+XLsxRu08wYI/YNXv
Threatray 1'138 similar samples on MalwareBazaar
TLSH T11F05DFAC3210BADFC817CD76CAA82C64E66174B7570BD203905715ACAE1DA9BCF116F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0060696971696000 (10 x AgentTesla, 3 x Loki, 3 x Formbook)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Betaling.jpg.img
Verdict:
Malicious activity
Analysis date:
2023-03-03 11:00:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d5223f72-1409-4944-bf67-1b26a5c28f49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371417/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64020feabfec0852a68ec97e/reports/3f1f6efb-4701-415d-884a-c83ceb00b957/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1be9b2eb-3f06-40a3-8ba0-52a235d85e53
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186815
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 05:46:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lh7342mkx43bf27yzi2b5e5wzp7lhbumebcd7s67lat24urcmia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24055d43a09021ce0a445076e9b729b335a726937080337752854f2883103f67
AgentTesla
2a890802046e55c856e2a6be5a2268fb8ba4410c15ac51415a1c30b0cd2336b2
AgentTesla
5d527329e8357f80cb29fda1069d67b7799a7e7b0147dc3a494bb0f80fa63152
AgentTesla
6e0b4b8c54f19220d1eccfc78b1e221301b4427cc45946849c3b05b1adf4324c
AgentTesla
6e8160f23b32743ffdcd853036d351c0ec4410d61f28254854b0ec6abdfb4fc3
AgentTesla
9b2b9f8f70057a1d60700f490e59ae93972ce2fdfb852770ae08fdfff72a0611
AgentTesla
a0babf015c7652654b66196cfe93729189b834425c6993589f3f95d5fbd84172
AgentTesla
ae773800646505a74d624672b6a3bf5d74c92dc78d7d1fdb9df1842d692c21ab
AgentTesla
bdf30178d213789a9a31a454653a627d3cef374e860fecbd5ff1e49ad30c6d8f
AgentTesla
ef95af586b997f584bf2a77bfee3c621a77a317bce648944e51129f61b49d174
AgentTesla
+ 1'128 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230303-sp67nsaa25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
78277d17b48bdbb249d370532cb28411367008fbf963d166fe1a206a91bb0c13
MD5 hash:
fb03b4b3d421e338927ff11c2a86bb6e
SHA1 hash:
a07ca25e638fe4d3c1d3d0c567aa189e90d668f0
Link:
https://www.unpac.me/results/b70bd29e-800b-4e62-a6b2-428f83cadfc1/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/b70bd29e-800b-4e62-a6b2-428f83cadfc1/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
cdd982da288f64fdcfcba3e6c919b9394566baefad16c61cdb11beea92ea2102
MD5 hash:
4fbd616036b7d5ed4b874ca33070fd8a
SHA1 hash:
75c2ccc6e95844bff14c946b725cddd4dd609d7f
Link:
https://www.unpac.me/results/b70bd29e-800b-4e62-a6b2-428f83cadfc1/
SH256 hash:
074c57af40f10acbfca8ec60aa9a4f0c920ebef6a182252825a622189071f2ac
MD5 hash:
25f957c12866f9fb7b83711758c46917
SHA1 hash:
541f632211117d278f70fb23ab3350cfac0f3315
Link:
https://www.unpac.me/results/b70bd29e-800b-4e62-a6b2-428f83cadfc1/
SH256 hash:
25dc912f599e1e609c12b98f7325a24d0409b485cf8a1e4ae8b8785ef8324915
MD5 hash:
e3f598fb1bc08de6e3294e9297c44b20
SHA1 hash:
33e0e2b0d0b5541cbe3982d9d69657b751f00753
Link:
https://www.unpac.me/results/b70bd29e-800b-4e62-a6b2-428f83cadfc1/
SH256 hash:
e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310
MD5 hash:
2a1545c3d87e97567f8b086860e5832b
SHA1 hash:
410bf6f20cb8d3815866b31c7c7d777fbccb6ea2
Link:
https://www.unpac.me/results/b70bd29e-800b-4e62-a6b2-428f83cadfc1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2cffdf34c55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/371417/

Comments