MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3e5d7c2c787685ecd64a9de7288fdc6e492b1400fa395c51c94f2adbe9181f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3e5d7c2c787685ecd64a9de7288fdc6e492b1400fa395c51c94f2adbe9181f9
SHA3-384 hash: 15bf1cc552cb2bf149440b4a81757d259f6cd9011ad07f97277024aa6ef5431015f405cd165d3decdb86325462dc5f04
SHA1 hash: 619e7e02ed27a190e3a6ac8356b1ab8b5e9826d1
MD5 hash: afe68f9fb3208b55e2192245f14102d9
humanhash: ink-carbon-lithium-magnesium
File name:afe68f9fb3208b55e2192245f14102d9.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:583'168 bytes
First seen:2021-05-20 14:12:25 UTC
Last seen:2021-05-20 20:11:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:hQ08+NJJ/F4nZaKYwJU7Rm6iQxcWcAxQjgwvjJYdKz:6gXJ/+s6JUVmbwRxU1j3z
Threatray 5'197 similar samples on MalwareBazaar
TLSH ECC4E03232C84B6DE47E67798160160113F9F94AD733DB49BCBE54D9363AE144BB2A23
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Mecatech PO-3468719.doc
Verdict:
Malicious activity
Analysis date:
2021-05-19 08:28:46 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/82e4be54-1e33-40cb-8310-e65b84316928

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/159685/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.747-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e3e5d7c2c787685ecd64a9de7288fdc6e492b1400fa395c51c94f2adbe9181f9/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 09:40:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ps5pqwhq5uf5tlevhphfch5y3sjfmkab6rzlri4stzk3purqh4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
242e697ace9bd90885566ecaaeb929569dc61217f9e01b190f764e89e77c8b16
AgentTesla
26b36a9a97d71b6ba20e272b2b52725f507ac4006bc39fb8d9bc106a37941b88
AgentTesla
4b288aa288ec036f3c044986e07629308aa8f2e0bd07ce3b97b08d1b28191dcd
AgentTesla
59653f2c5630242b3d29eece0a082cb9bcf2a81fed170e3c9a2cbfc50ade86d3
AgentTesla
82f1cee3c16ba6868870e1b45ccf5dfb126562a42f1b3ea0da7122a965f5a400
AgentTesla
89dfad2462cc08765d787e78b742bb41639e3172bbb4c928e272d80b0dd886af
AgentTesla
9957bf2272c138f1b0458ac13d04a7b4c11fdd081d32cf8b5986d4f7286c3468
AgentTesla
c218f628b56b2316cbe236c3a15eb3aa1d138ccd85fc5d5ce76ccaa61bf75032
AgentTesla
f00b76191455603bf8d2581005dc19af75847b1cb8460855288476d068517871
AgentTesla
f8280045a04ed953e7a35ed0531685c56db1554847e6c12ffdfcc04f887426d1
AgentTesla
+ 5'187 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210520-lpv4wj45ln/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3e5d7c2c787685ecd64a9de7288fdc6e492b1400fa395c51c94f2adbe9181f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e3e5d7c2c787685ecd64a9de7288fdc6e492b1400fa395c51c94f2adbe9181f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1255207/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/159685/

Comments