MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3a91686f76e269f4adb652961ecbc785968c32d617ce19a620050894f13b184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3a91686f76e269f4adb652961ecbc785968c32d617ce19a620050894f13b184
SHA3-384 hash: 89a5c2776c03c1f72ba24452e7dd89da65aed2dbc577d87464588d238c01108d62dbd7f14201d0a92c8a71fa7b09d8e3
SHA1 hash: c0f2cdfbb6da8f92e6898de0875162b25d930064
MD5 hash: ef4dd302e4e1863ecc78c61303cb7932
humanhash: wyoming-mountain-river-spring
File name:image002.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:671'744 bytes
First seen:2020-11-24 08:33:59 UTC
Last seen:2020-11-24 11:14:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:9W00V/N8KocT4HjKmJBiO2o16lSVzPFRfJx/qVG1jYAoZCIL/5uKrSAt8LFi:M0Yboclmnt6cz/xyqsAonscJ8
Threatray 1'461 similar samples on MalwareBazaar
TLSH 6DE4F13152D27E96FB6A2F71D1B5E6380FA67C6B9A30D61C3AD80CD73461B048929F31
Reporter FORMALITYDE
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/545797
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3a91686f76e269f4adb652961ecbc785968c32d617ce19a620050894f13b184/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 08:15:56 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ournbxxnytj6sw3muuwd3f4pbmwrqznmf6odgtcabiistytwgca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b0497a471a34be0ac2c4719719527d6a73b4a0ad0d7b8f43d9c9af5119ce9cd
AgentTesla
13dcde3e9c6f160ab11c94f84aba6b7a1b802126258e59f872fd1ae61ce8ff64
AgentTesla
7a68b68dbc26cebe34fe472b9dc79c1bd76c6b1ff7a4d404d75e5f02c6254865
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e
AgentTesla
b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8
AgentTesla
c1823f0befbdf02c1275d0641e142aeebc8d70d9dab04816ada7339da23061e2
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16
AgentTesla
fdac92b0fe7d038bfdfa12127cae944e95dff1ef54684923785701d9e92dfaf4
AgentTesla
+ 1'451 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201124-5psyy3r5z6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
e3a91686f76e269f4adb652961ecbc785968c32d617ce19a620050894f13b184
MD5 hash:
ef4dd302e4e1863ecc78c61303cb7932
SHA1 hash:
c0f2cdfbb6da8f92e6898de0875162b25d930064
Link:
https://www.unpac.me/results/2ffe1072-d8f2-4173-acf9-29239d550c1a/
SH256 hash:
9c7862a28ffe904fe705eb26184769c388077b24c99fff0ba07ebd15d13a4725
MD5 hash:
d1fb1f41f1280fd41971843fa10af0f2
SHA1 hash:
3350614e4f9efeb9dba76fd0c95f4b1ec98a2d8e
Link:
https://www.unpac.me/results/2ffe1072-d8f2-4173-acf9-29239d550c1a/
SH256 hash:
5b563f42abb48cbf246db1a832b82000545466d7e3cd01b4117ba2e960c74db1
MD5 hash:
360736c17f885b921bf8edb3dc95885d
SHA1 hash:
5a9716bfa5be495f436d6d82c961f3b08669093b
Link:
https://www.unpac.me/results/2ffe1072-d8f2-4173-acf9-29239d550c1a/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/2ffe1072-d8f2-4173-acf9-29239d550c1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3a91686f76e269f4adb652961ecbc785968c32d617ce19a620050894f13b184

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e3a91686f76e269f4adb652961ecbc785968c32d617ce19a620050894f13b184

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments