MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e657ffb001754315f6a10d766882fc481809a576fde55ff1f0158b793beac202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e657ffb001754315f6a10d766882fc481809a576fde55ff1f0158b793beac202
SHA3-384 hash: bc49ccef05f0dd19908bfafc85c6ad8e5cfa7b0776a49917480420d327401c165d1a7bf4b495d60318ae964b7224982f
SHA1 hash: 8f6becc21ce64e74a5d9b0bd27ac46473b4e3eff
MD5 hash: 6e36034dfac320bf8e38151f1b452ce0
humanhash: tennis-king-lactose-apart
File name:DB payment transfer receipt E3S20092257312223020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:944'128 bytes
First seen:2020-12-23 14:21:47 UTC
Last seen:2020-12-23 15:32:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:7C9DGK3pnGmonzKs5jPl66Iht2JlzTQpszYqbHg6fY8gNksOdjs3eRhu263bOfrr:u9DbpGrzw3wAOZakvgObMODN+
Threatray 2'171 similar samples on MalwareBazaar
TLSH 28159E243DEA5419F173AF3ACBD87489CBBEF6233703E51E64E4234A4613A41ED8157A
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
922
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DB payment transfer receipt E3S20092257312223020.exe
Verdict:
Malicious activity
Analysis date:
2020-12-23 14:24:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4cc52d33-957f-44a5-be42-68c0a3e39a6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109182/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35824195.2821.9812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569222
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Binary contains a suspicious time stamp
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e657ffb001754315f6a10d766882fc481809a576fde55ff1f0158b793beac202/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 21:33:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zl77mabovbrl5vbbv3grax4jamatjlw7xsv74pqcwfxso7kyiba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
1116683e1e819baeac8353772c937bf8a9d051bd0840108af5bea54bff370607
AgentTesla
1ef50be180b767fef84ba21c32b462c33128d4b930549f321ae82854ef3a641d
AgentTesla
2a411486f86d7a28869c33afc7efec53f718b0613f91b6a28a6d3343aeba8e63
AgentTesla
426606d359e196a3ca9c9c0c82acb7b98673090af4d846ddf4a5192b271a6569
AgentTesla
4c42b2d7062de59d0e879b4ee2760059602a8f1283d80a821db2ea2940c186a9
AgentTesla
510d3c4c6738224762e57265339a0070bbab7c251d0d1096bf9ef188a46f76ce
AgentTesla
5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09
AgentTesla
642dfced9844802f4388b3c2f30e08d9a1c94f2507e7277d900756b284d37ca1
AgentTesla
f90cf6686fcfe69bb074cf65a5b7e19c8e97b1351377faa7a2477577d4171de8
AgentTesla
+ 2'161 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201223-rm6bv2skl2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e657ffb001754315f6a10d766882fc481809a576fde55ff1f0158b793beac202
MD5 hash:
6e36034dfac320bf8e38151f1b452ce0
SHA1 hash:
8f6becc21ce64e74a5d9b0bd27ac46473b4e3eff
Link:
https://www.unpac.me/results/ebd7919c-e1a9-4d1b-9db2-a247651c0948/
SH256 hash:
ef382489173215f01d88307091a8c4add749bf34053be293a1b13a684c81afcd
MD5 hash:
c49803398d1c4bba767a55dcddec1087
SHA1 hash:
426b173372a1025a6de7ad7e6e5ed0fd0259c5d5
Link:
https://www.unpac.me/results/ebd7919c-e1a9-4d1b-9db2-a247651c0948/
SH256 hash:
ba4abdf257008bb406b736660eb5dfd54c9675f155ba189ae6da9dcac27a2139
MD5 hash:
607cabaac5524db950e8de4c7c7ef347
SHA1 hash:
5b1a60a79535a972e9df3841a1c3e1c637c736c6
Link:
https://www.unpac.me/results/ebd7919c-e1a9-4d1b-9db2-a247651c0948/
SH256 hash:
51b11613df0a8a93c9bf286ff3696c32f50b7763d78425815afaf1d8564fa186
MD5 hash:
6ecc999b80aac33f4255cd30134483ee
SHA1 hash:
86e68ae281efd6741d89eb30388040bb9e68034b
Link:
https://www.unpac.me/results/ebd7919c-e1a9-4d1b-9db2-a247651c0948/
SH256 hash:
1f0a807569ff68b70974dde9bf640f279c3ad794a7b58685ea33c3f230a97c34
MD5 hash:
02647a92aa8b94cc91817e2d62d9ab74
SHA1 hash:
fff28411d0fc9655a5b5f69571552590d3837ea9
Link:
https://www.unpac.me/results/ebd7919c-e1a9-4d1b-9db2-a247651c0948/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e657ffb001754315f6a10d766882fc481809a576fde55ff1f0158b793beac202

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/109182/

Comments