MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249
SHA3-384 hash: 33d4a2d49f18d687ed202bfae11a3d76c65782dcb6318af3073c280a6a324ee1f22f655401266a24b9ef361a0632309d
SHA1 hash: 17c07d5b66b17ef50890b09effafa109b34a5a0a
MD5 hash: 77e2b6a251b3ed0440f515824c1d67fd
humanhash: queen-dakota-missouri-muppet
File name:77e2b6a251b3ed0440f515824c1d67fd
Download: download sample
Signature AgentTesla
Create hunting rule
File size:752'640 bytes
First seen:2023-11-01 17:17:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:IjbyGBWKkv4KnIbow0Qa5oAMJ7Ec0rdebYvgwLHqZ0aTHWsYoa:IjOGwJwKnaSoXqr4/sGV
Threatray 547 similar samples on MalwareBazaar
TLSH T156F41240B6BA5B3BFD7593F5166062481BF2706BA2B9F3088CDBB0C75199F404392B5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Inquiry-IND23072113.doc
Verdict:
Malicious activity
Analysis date:
2023-11-01 16:18:27 UTC
Tags:
exploit cve-2017-11882 stealer agenttesla
Link:
https://app.any.run/tasks/89845962-24f6-4f31-8861-87e0bd757661

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457672/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2504.10035.17898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65428853a6fa5eab936d02c9/reports/54a33a72-a090-4a59-b60c-ac3a2ff8ea38/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/388a98aa-1712-4206-a4db-1cc74be298ed
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335609
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335609 Sample: P6W3tMUHV0.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 43 mail.zoomfilms-cz.com 2->43 45 zoomfilms-cz.com 2->45 47 2 other IPs or domains 2->47 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 8 other signatures 2->67 8 imNIUlUiF.exe 5 2->8         started        11 P6W3tMUHV0.exe 7 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 69 Multi AV Scanner detection for dropped file 8->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->71 73 Machine Learning detection for dropped file 8->73 75 Injects a PE file into a foreign processes 8->75 17 imNIUlUiF.exe 8->17         started        20 schtasks.exe 8->20         started        22 imNIUlUiF.exe 8->22         started        24 imNIUlUiF.exe 8->24         started        39 C:\Users\user\AppData\Roaming\imNIUlUiF.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\Local\...\tmpF606.tmp, XML 11->41 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 11->77 79 Adds a directory exclusion to Windows Defender 11->79 26 P6W3tMUHV0.exe 15 2 11->26         started        29 powershell.exe 23 11->29         started        31 schtasks.exe 1 11->31         started        53 127.0.0.1 unknown unknown 14->53 file6 signatures7 process8 dnsIp9 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->55 57 Tries to steal Mail credentials (via file / registry access) 17->57 59 Tries to harvest and steal browser information (history, passwords, etc) 17->59 33 conhost.exe 20->33         started        49 api4.ipify.org 64.185.227.156, 443, 49720, 49724 WEBNXUS United States 26->49 51 zoomfilms-cz.com 195.54.163.133, 49722, 49726, 587 ITLASUA Ukraine 26->51 35 conhost.exe 29->35         started        37 conhost.exe 31->37         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 11:52:53 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sdooe45qiurnu3aqidykqij2somdxnf7ckngfgcvyogvkpnqjeq._file
Verdict:
malicious
Similar samples:
2b55f7e957049c9786d8e556542de0e61b069f24578a516884395b154c12d0b3
AgentTesla
42f53657f1fa3e1a832805479fb96f941870e7722c577f7a201a81543dddb878
AgentTesla
495c9826ec56d32fa8ded966e3d6c461b43bfb042ff9e227e75fdb8f55435208
AgentTesla
56201f646915a1f24dbb151b653b770290ca145e163999bc39a874bb174ec33b
AgentTesla
5825bde73102349f8a9ba272fce964413be3563bb4c4ef17dff41c2fed460932
AgentTesla
bb9892ff838c2e6a7a2740122a6518b9d60da413638e7e102fa9729d1d9df7cb
AgentTesla
c107d4cc003e96086be97b02304631459e7b4ef3038fd6716ab583efe60dc964
AgentTesla
e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249
AgentTesla
f1ff3671c84b073f77c786da2c09f4ad2de52cb37dc60806ce52254b3d6929c3
AgentTesla
ffe2f8fec7f9ba8ff7877c6913820df6048f6d3df97dedf8d81efc3a51baba87
AgentTesla
+ 537 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231101-vt9jpscf83/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e69fc10e81e6f3d698f426c265b2a3f9291655b6fae9a0402236a72f472659de
MD5 hash:
b1813d3304abce3f2c86f5b138d91c0f
SHA1 hash:
ffd8e3762e1956a1a9d290357deb06ba066c9df6
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/3961065a-a0fe-4fc7-bdd4-f4fd98feb9ca/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/3961065a-a0fe-4fc7-bdd4-f4fd98feb9ca/
SH256 hash:
321b9837024c717dd5b2ad4217a7e2734e368bdb58918437baf42f46a34149b1
MD5 hash:
91412a60691a2512ab0becb2f7002a32
SHA1 hash:
70fe342dd601a4b6a3fb67202c9ea3b3fea31b5c
Link:
https://www.unpac.me/results/3961065a-a0fe-4fc7-bdd4-f4fd98feb9ca/
SH256 hash:
d3fa66343a232285a1f8258b203bcc15f7608a2710c58fc0e7dd871f8441780d
MD5 hash:
e4728e95149859f9b5d41264eba63f3a
SHA1 hash:
3184a5544b37da9abbc41b07577b33a9f9e99493
Link:
https://www.unpac.me/results/3961065a-a0fe-4fc7-bdd4-f4fd98feb9ca/
SH256 hash:
e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249
MD5 hash:
77e2b6a251b3ed0440f515824c1d67fd
SHA1 hash:
17c07d5b66b17ef50890b09effafa109b34a5a0a
Link:
https://www.unpac.me/results/3961065a-a0fe-4fc7-bdd4-f4fd98feb9ca/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e486e7139d82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726987/
Cape
Cape
https://www.capesandbox.com/analysis/457672/

Comments


Avatar
zbet commented on 2023-11-01 17:17:33 UTC

url : hxxps://swamini.in/wp-content/uploads/wpr-addons/forms/litoptics2.1.exe