MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e47a0c52865bd0c492469ac52a6a11e9fe65c2317dc022a3c8164f03f0be9ebc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e47a0c52865bd0c492469ac52a6a11e9fe65c2317dc022a3c8164f03f0be9ebc
SHA3-384 hash: f706b1b9c6bc94536f904a464793ea51b2277150e1295d4fd16e45eac84a374029890ed27c4df918ce4ef19082c62b4c
SHA1 hash: 6078dfe3c3a0cc8774a54995d616d072bffbe622
MD5 hash: f0fa1235a95739075788b95080b7531a
humanhash: arkansas-diet-glucose-zebra
File name:Scan00445.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'547'264 bytes
First seen:2022-03-11 12:16:22 UTC
Last seen:2022-03-11 22:44:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:6OGf/UUHdcaQrUNvaMB5Ix5cPKIe44q4ee1RnivIyW5mmnh5:65/UUHdcaB7P7SewL1
Threatray 15'673 similar samples on MalwareBazaar
TLSH T1EB65BF0562D80F15EBBFBBB6A2FC182C4975B92357479E1E38095E860EE37604C5363B
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249414/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching the process to interact with network services
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Moving of the original file
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
dotnet.exe msbuild.exe obfuscated packed
Link:
https://www.filescan.io/uploads/622b3dcfb94fb38cb45c213b/reports/84b23d52-eb23-4078-a643-1af206e144dc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95826961-6da6-43ad-9809-a1cefdfda838
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954839
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds a new user with administrator rights
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: File Created with System Process Name
Sigma detected: Hurricane Panda Activity
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 587320 Sample: Scan00445.exe Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 .NET source code references suspicious native API functions 2->57 59 .NET source code contains very large array initializations 2->59 61 3 other signatures 2->61 7 Scan00445.exe 7 10 2->7         started        11 svchost.exe 1 1 2->11         started        14 svchost.exe 1 2->14         started        16 6 other processes 2->16 process3 dnsIp4 45 C:\Windows\Resources\Themes\...\svchost.exe, PE32 7->45 dropped 47 947de341-42b2-4a13-b00c-055d53c26989.exe, PE32 7->47 dropped 49 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->49 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->65 67 Creates an autostart registry key pointing to binary in C:\Windows 7->67 69 Uses schtasks.exe or at.exe to add and modify task schedules 7->69 71 3 other signatures 7->71 18 947de341-42b2-4a13-b00c-055d53c26989.exe 20 1 7->18         started        21 net.exe 1 7->21         started        23 net.exe 1 7->23         started        25 12 other processes 7->25 51 127.0.0.1 unknown unknown 11->51 53 192.168.2.1 unknown unknown 11->53 file5 signatures6 process7 signatures8 63 Multi AV Scanner detection for dropped file 18->63 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 net1.exe 1 21->31         started        33 conhost.exe 23->33         started        35 net1.exe 1 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        43 10 other processes 25->43 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e47a0c52865bd0c492469ac52a6a11e9fe65c2317dc022a3c8164f03f0be9ebc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 12:17:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4r5ayuuglpimjesgtlcsu2qr5h7glqrrpxacfi6iczhqh4f6t26a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
AgentTesla
16f76c882a6d5cdbdcdc443d1fc80c52411a6768940a90e7864efe6aaca5dac8
AgentTesla
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
AgentTesla
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
AgentTesla
b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
AgentTesla
d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63
AgentTesla
f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90
AgentTesla
+ 15'663 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/220311-pf2n2shdc4/
Behaviour
System policy modification
outlook_office_path
outlook_win_path
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Grants admin privileges
Looks for VirtualBox Guest Additions in registry
Nirsoft
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
e47a0c52865bd0c492469ac52a6a11e9fe65c2317dc022a3c8164f03f0be9ebc
MD5 hash:
f0fa1235a95739075788b95080b7531a
SHA1 hash:
6078dfe3c3a0cc8774a54995d616d072bffbe622
Link:
https://www.unpac.me/results/99781ea1-8314-41da-9069-29a9c89b2ea6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e47a0c52865b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/e47a0c52865bd0c492469ac52a6a11e9fe65c2317dc022a3c8164f03f0be9ebc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e47a0c52865bd0c492469ac52a6a11e9fe65c2317dc022a3c8164f03f0be9ebc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/249414/

Comments