MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e75f6885b4547f13ee8864b2da889d2a6e7a990aa7019f9c078a7b884f2bc53e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e75f6885b4547f13ee8864b2da889d2a6e7a990aa7019f9c078a7b884f2bc53e
SHA3-384 hash: 0ee328b42ffae1cd0dae01804367af32a56d16b6f9d9a59873a2f993bf08e97d6011dd01f63732bb9ba76e192a37e3d3
SHA1 hash: 38b64a9772e1b99e4dc4621b9c3a9106151a844b
MD5 hash: 06906293cb0712c9b68ff07af9578f23
humanhash: tango-golf-carpet-triple
File name:e75f6885b4547f13ee8864b2da889d2a6e7a990aa7019f9c078a7b884f2bc53e
Download: download sample
Signature AgentTesla
Create hunting rule
File size:821'248 bytes
First seen:2020-09-10 12:34:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a51d3dbff2755c7c37ce35e5920f020 (15 x AgentTesla, 8 x MassLogger, 6 x Loki)
ssdeep 12288:Hc8JhscTlxKwOUBMwW+c4eJsmYxBs4fCPMdVlgHyKVAUYyxcDWTZF5p:lLJlxKfwvmygMdzgSKqVvSFFP
TLSH F4057C22BEE10836C1FF163D5C1B9E749C297DC22B34597A7BE8D80C9F396503929297
Reporter madjack_red
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58378/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Siggen9.48175.14302.5.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/463149
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 283973 Sample: EaWSwoDTMD Startdate: 10/09/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 7 EaWSwoDTMD.exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 49 Detected unpacking (changes PE section rights) 7->49 51 Detected unpacking (creates a PE file in dynamic memory) 7->51 53 Detected unpacking (overwrites its own PE header) 7->53 55 7 other signatures 7->55 12 EaWSwoDTMD.exe 4 7->12         started        16 notepad.exe 1 7->16         started        18 EaWSwoDTMD.exe 7->18         started        20 EaWSwoDTMD.exe 10->20         started        process5 dnsIp6 37 hybridgroupco.com 66.70.204.222, 49731, 49732, 587 OVHFR Canada 12->37 39 mail.hybridgroupco.com 12->39 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->65 67 Tries to steal Mail credentials (via file access) 12->67 69 Drops VBS files to the startup folder 16->69 71 Delayed program exit found 16->71 73 Writes to foreign memory regions 20->73 75 Allocates memory in foreign processes 20->75 77 Maps a DLL or memory area into another process 20->77 22 EaWSwoDTMD.exe 4 20->22         started        26 notepad.exe 1 20->26         started        29 EaWSwoDTMD.exe 20->29         started        signatures7 process8 dnsIp9 33 mail.hybridgroupco.com 22->33 35 hybridgroupco.com 22->35 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->57 59 Tries to steal Mail credentials (via file access) 22->59 61 Tries to harvest and steal ftp login credentials 22->61 63 Tries to harvest and steal browser information (history, passwords, etc) 22->63 31 C:\Users\user\AppData\Roaming\...\Data.vbs, ASCII 26->31 dropped file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e75f6885b4547f13ee8864b2da889d2a6e7a990aa7019f9c078a7b884f2bc53e/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2020-09-10 00:36:53 UTC
AV detection:
44 of 48 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45pwrbnukr7rh3uimsznvce5fjxhvgiku4az7hahrj5yqtzlyu7a._file
Verdict:
unknown
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200910-ry8yxe2x9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e75f6885b4547f13ee8864b2da889d2a6e7a990aa7019f9c078a7b884f2bc53e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58378/

Comments