MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e72916e74e18d79c2ddbd591ba7dd7e5f45bf33cd89d2dcc64361dffc47a875f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	e72916e74e18d79c2ddbd591ba7dd7e5f45bf33cd89d2dcc64361dffc47a875f
SHA3-384 hash:	40f09e88b565984a0fe8601e514e467314349b67973891655f0b5ebb81f2688168cd41f0133a5da9ce0d812a05f4f995
SHA1 hash:	dd2e73f2c9442d99d2a437dc4b35b042e9cd607f
MD5 hash:	1c8acafaf3e9796bfc7d0e12c208ce88
humanhash:	carpet-five-shade-summer
File name:	Pago Santander.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	550'912 bytes
First seen:	2022-04-08 06:03:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:jj5TE0ZQemFfrtnXxroFUfTmI824nfy0Olkrqud2HN:jlTEZfxnB0FmZ4XOYrd
Threatray	15'777 similar samples on MalwareBazaar
TLSH	T115C4F10DFB1AADF4E91E43F839719D637F61E403A4AD9DAC558962270C2438311ABDCB
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pago Santander.r09

Verdict:

Malicious activity

Analysis date:

2022-04-07 15:47:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1d63de72-9722-422c-b4be-707bf90fbb79

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/261853/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/624fd053cccdcb994728ff0e/reports/0361baa5-d0b1-4b44-afff-47feb0ff6f6e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e1ef4cc1-9972-4428-bbcf-b7b145753dba

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/972870

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e72916e74e18d79c2ddbd591ba7dd7e5f45bf33cd89d2dcc64361dffc47a875f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-07 21:30:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=44urnz2oddlzylo32wi3u7ox4x2fx4z43cos3tdegyo77rd2q5pq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

455f8ac7989fcb89c80af780f91d1d3572a4728c24b712ece44fc2d4b6e65cb9

AgentTesla

83a8cc912b1a3d00f24d9de117fce9e695e62ace9d45ad22ec57ba903bcdecfd

AgentTesla

a14c255d82f08107b367c118327fb18b4849b96a01990d1052d5047cd439f25b

AgentTesla

c8c2ea10a6f7bd9937885c7a58d00b6fffc727d891d309888e3530bf4583dcae

AgentTesla

d2e072688c198eb2dab3b0d69510bfa4b3ef32f4691d4db8e62e6b656534c542

AgentTesla

eb15dfb2c62a7f51fa3c2bf32a75f333f964948f9bcafb46b850e0a849bb583d

AgentTesla

f8de76218fd0271a451ae44949301a03c4bdcf2e855dea225dc1630aa20c45c5

AgentTesla

+ 15'767 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220408-gsk8tsghe8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

07470b1d2dae8b14bd86eeab097a86149dc985d5144787933441ac75abc9d55e

MD5 hash:

a461b3e0711a1c517e79848884ef9687

SHA1 hash:

f204346b0a3cb4abc9c2d07e6186b493ce061efa

Link:

https://www.unpac.me/results/0404eaac-5eff-4d4c-b18d-69df5cd8682f/

SH256 hash:

76e2d40004401d41fa4d654aaa2f8aa068dbd0466203ad1e1ac1bb265d169c2e

MD5 hash:

ceb3f1810f0dbf2db88d394bea8f519a

SHA1 hash:

a5a23e5e28cb8c40669803fd81981e2a060e2266

Link:

https://www.unpac.me/results/0404eaac-5eff-4d4c-b18d-69df5cd8682f/

SH256 hash:

e11871df824c3130e35f2c94d672404e18ebefddf3172d166f2e640ad3686c73

MD5 hash:

4379771ccd9b927712ef2505214161df

SHA1 hash:

6636b7b80e279de67c60b52277f566463afebf8e

Link:

https://www.unpac.me/results/0404eaac-5eff-4d4c-b18d-69df5cd8682f/

SH256 hash:

025fd34b016ccc03c7b25390c3c0478943d182fed1198311d62383475d055753

MD5 hash:

b654b004329901c99c2541222c7a49e8

SHA1 hash:

582abc36d21bdce1b63f82131ff22a7c405d983b

Link:

https://www.unpac.me/results/0404eaac-5eff-4d4c-b18d-69df5cd8682f/

SH256 hash:

e72916e74e18d79c2ddbd591ba7dd7e5f45bf33cd89d2dcc64361dffc47a875f

MD5 hash:

1c8acafaf3e9796bfc7d0e12c208ce88

SHA1 hash:

dd2e73f2c9442d99d2a437dc4b35b042e9cd607f

Link:

https://www.unpac.me/results/0404eaac-5eff-4d4c-b18d-69df5cd8682f/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e72916e74e18/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e72916e74e18d79c2ddbd591ba7dd7e5f45bf33cd89d2dcc64361dffc47a875f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.