MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4b48e7ff864393ce7ba79ce14b298a08898bddb2cd233dd0e3ecc3997dd9c3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4b48e7ff864393ce7ba79ce14b298a08898bddb2cd233dd0e3ecc3997dd9c3d
SHA3-384 hash: 98da7304fe1c7800604c0eb7f077bd0793440e68405f0be79006ef9f865bf9a0f1a52e25d5c9921ca046dbf4867c9dd0
SHA1 hash: f728c051da82f02246a61610230b33fc6e704621
MD5 hash: 74b45cd555571bdd106a9afe1f4e7fc9
humanhash: east-lactose-iowa-cup
File name:order 1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:572'928 bytes
First seen:2020-11-10 14:14:00 UTC
Last seen:2024-07-24 22:25:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xgqwEHlsnrrsZNQ2OLFTPexfZcokWAPzAtf/mh6sfQM4EykdZyt8LF7W:yTPexf+okWXmoYRpdU8
Threatray 1'083 similar samples on MalwareBazaar
TLSH 55C4D03061ADEFC3D73D5BF9906513481FF8252B9160FA9DACC520D32567B0A4A28EB7
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.15379.5845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528217
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313208 Sample: order 1.exe Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 8 other signatures 2->51 6 order 1.exe 3 2->6         started        9 newapp.exe 3 2->9         started        12 newapp.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...\order 1.exe.log, ASCII 6->25 dropped 14 order 1.exe 2 5 6->14         started        53 Multi AV Scanner detection for dropped file 9->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->55 57 Machine Learning detection for dropped file 9->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->59 19 newapp.exe 2 9->19         started        21 newapp.exe 9->21         started        23 newapp.exe 2 12->23         started        signatures5 process6 dnsIp7 31 smtp.hsa-intlli.com 14->31 33 us2.smtp.mailhostbox.com 208.91.199.224, 49744, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->33 35 192.168.2.1 unknown unknown 14->35 27 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->27 dropped 29 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->29 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Tries to steal Mail credentials (via file access) 14->39 41 Tries to harvest and steal ftp login credentials 14->41 43 2 other signatures 14->43 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4b48e7ff864393ce7ba79ce14b298a08898bddb2cd233dd0e3ecc3997dd9c3d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 04:28:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4s2i477ymq4tzz52phhbjmuyucejrpo3ftjdhxioh3gdtf65tq6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0424179a326437ff06b39a85d4c36d8b0196b366de2f7f00e8d1163c6c5ebad3
AgentTesla
18f1f0cd31212210131834c74f816f2c7fa78f50019257f714b616dbcb2e2320
AgentTesla
23e326bb788b0d6226858fc84fe911244132762db8714d142ff58b2a773e001d
AgentTesla
520aa25dc0181ce1a1cede20f837c4038dcd348d060d963d9c7ffbb82307f25d
AgentTesla
56c026a1b3db5b77e3d01e2ef5f727cae05b34e19fd01055ee1ba374bba3af5f
AgentTesla
93e18a89da6b3d7820476ce5f5feb50e384eac4753d6f91c8c31a5d6690f621b
AgentTesla
b2b25365ac3fab2649ba188a0c113a558686c049d89bb4b8f3d7439a6e6732c0
AgentTesla
b64834eeb000aadaea8048153c40436a4aa12e1ed93b506e5fb7146465b4943c
AgentTesla
d992fd656f6fdc8596933ac7cb0812f999a11ade26c4f66d69f6916742ee90b7
AgentTesla
e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0
AgentTesla
+ 1'073 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201110-98pclf7tjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments