MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e
SHA3-384 hash:	520c3375099b707f8477cb7332021f8bdc5ffbe97f01debf8a7b8aa4a92fc1d2d2975bf37673e00579353195286e8797
SHA1 hash:	5a08e838f5b38ba878568a90734288c246e386f5
MD5 hash:	482504a53067eb6331948b2f946927df
humanhash:	montana-speaker-juliet-romeo
File name:	2101180DMCUG.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	663'040 bytes
First seen:	2021-01-18 18:15:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f85ebb67bac58f72de974a91d40889a (5 x Formbook, 3 x RemcosRAT, 2 x AgentTesla)
ssdeep	12288:U8WvAMYGY5RFNBeU7vgTOzrdCeDWecJq1KaWICDBnh:U8W4T17vgKzDTJKv1nh
Threatray	384 similar samples on MalwareBazaar
TLSH	51E4CF24B880C032C17329368979E2F2097EA5301F655ADFABC819795FB41D27739A7F
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.alasbobo.com
Sending IP: 5.2.75.116
From: k_cashconnect@kasikornbank.com<k_cashconnect@kasikornbank.com>
Subject: Credit Advice
Attachment: 2101180DMCUG.cab (contains "2101180DMCUG.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2101180DMCUG.exe

Verdict:

Malicious activity

Analysis date:

2021-01-18 18:23:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/850731bc-5546-47fc-abc2-bbb870fe42bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/112639/

Detection(s):

SecuriteInfo.com.Variant.Mikey.118306.12714.12682.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/584096

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e/

Threat name:

Win32.Trojan.Mikey

Status:

Malicious

First seen:

2021-01-18 18:16:06 UTC

AV detection:

14 of 46 (30.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4lnafbg5mvqpj7p4fixmt2x3br4r5pv4pmhlzqgxslghsfascrpa._file

Verdict:

unknown

AgentTesla

321be1554d0c8aaf169078b16f29bac61f923485fcc124499a6886c4ecadb552

AgentTesla

35f2d31f591a7850c05f86c1124aef7193bdd2f2ad7421d1fb09e1144b3fc3d3

AgentTesla

6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8

AgentTesla

82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7

AgentTesla

adc10139a3870919bf60c4345f1e9d09eec3c590a434e761c55ff3da112e9a68

AgentTesla

c363769d3d6ae833d71203a5a678ad04349404eae3788865fcdb706c3c7543b0

AgentTesla

ccd9176d26caf90647653816162ea4622ae24e253b7da139fdfacd74a555a8a1

AgentTesla

f73c1a2549b119a5de3964cdcbbdbefbaca205e1f149b4d77688a92285b4d20b

AgentTesla

fe7c717b3f64d3c721f760c5d62cf09b7bfcdb8fcbf163e7958907a3d7b2dfad

AgentTesla

+ 374 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210118-534n9kz6ys/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

5649945a88a39d624435cb5c3257e071c3b81c2be7513522a1b23b1b1138fa56

MD5 hash:

f209e8996f803b8f152dccd5bf5d81ea

SHA1 hash:

a6c43c0433c027a5d0db741883567ced38f41848

Link:

https://www.unpac.me/results/b7abc182-0893-4b9d-8dc1-0e8ceae865c3/

SH256 hash:

e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e

MD5 hash:

482504a53067eb6331948b2f946927df

SHA1 hash:

5a08e838f5b38ba878568a90734288c246e386f5

Link:

https://www.unpac.me/results/b7abc182-0893-4b9d-8dc1-0e8ceae865c3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 769e68d997b5c675672c9db237d62b9704c795c89804ac591c8a3e6bf64bea03

AgentTesla

exe e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e

(this sample)

Dropped by

MD5 14e84bfcd3802e25d074483e9cead8f6

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/112639/

Dropped by

SHA256 769e68d997b5c675672c9db237d62b9704c795c89804ac591c8a3e6bf64bea03

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample