MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3b9d82f6955be14b44507c14f258655f6bcfcb55cc55c9d3fed24ff421addd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3b9d82f6955be14b44507c14f258655f6bcfcb55cc55c9d3fed24ff421addd0
SHA3-384 hash: 2abcfdc0da2840cbdf8411ac0c8a10ee5d16fed92b7f0c8f6518efefae847b1d0dc9876b50e2917b2c22518ccb380504
SHA1 hash: 19984c764ec14886ad63cde8298946a7a0e45040
MD5 hash: 78dd90b87e930edb1e7b27bb3052a21e
humanhash: eight-missouri-hawaii-helium
File name:78dd90b87e930edb1e7b27bb3052a21e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:502'272 bytes
First seen:2020-09-08 07:41:58 UTC
Last seen:2020-09-08 09:03:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 3072:9NiH+0Q1pMaO8sM/2UwBsbo1Y55Gkx5yoAauCHPy/p8MFnFJtmbhe2Rh03uEhAaK:9ARQ1pMaO8neKBoauwhoy+eEhGq1gv
TLSH 74B407392BC65875CE1E02B480298A84B6B1B6077B96CB1FA1C792DD4E035DFBF160DD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.1and1.es:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57818/
Detection(s):
SecuriteInfo.com.FileRepMalware.18795.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3b9d82f6955be14b44507c14f258655f6bcfcb55cc55c9d3fed24ff421addd0/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-09-08 07:43:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4o45ql3jkw7bjncfa7au6jmgkx3lz7fvltcvzhj75usp6qq23xia._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
agilenet spyware
Link:
https://tria.ge/reports/200908-gbkza6mn8e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3b9d82f6955be14b44507c14f258655f6bcfcb55cc55c9d3fed24ff421addd0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57818/

Comments