MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82
SHA3-384 hash:	1ebbabd6c974fa9092832e979e52ec18c503ecbd4a3ba438c92320e37953dfc07b5baa6319fcb5e62e15806a4e06b77a
SHA1 hash:	4367be00ac12f7dbd3572e3fd57aa84d46f45e58
MD5 hash:	45645bca6e28a5514d4f3a38ca852619
humanhash:	item-cold-march-jersey
File name:	PO2405120-บริษัท ธรีดีเอเชียจำกัด.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	690'176 bytes
First seen:	2024-05-28 06:43:04 UTC
Last seen:	2024-05-28 07:24:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:OKcpV/xdgO6OJvc7GRdz7QJFjlv70eSUNA7dodqaOeLJW3:bO6D7gz7S7zNBcaOSW
Threatray	443 similar samples on MalwareBazaar
TLSH	T128E4225332EA36B3E1BA92F68095419143F8325B2260E7D72EC630E707E5F48D76472B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	b2b269f0d4e88692 (5 x AgentTesla, 4 x Formbook, 2 x Loki)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82.exe

Verdict:

Malicious activity

Analysis date:

2024-05-28 06:47:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/28612c19-9287-4411-bfb6-1f617759ee9d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.31549.2462.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66557d405721c8e527178087win7simulatehigh_evasion

Tags:

Stealth Agent

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec7c797a-d911-4354-ad35-fc13bf2a2695

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1448320

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82/

Threat name:

ByteCode-MSIL.Trojan.Negasteal

Status:

Malicious

First seen:

2024-05-28 01:55:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=46k6a3mbyskuoi6rbtk2777wuskhwvokvvragp7ifhwxflwg3wba._file

Verdict:

malicious

AgentTesla

74a7dd343c4fac52d9d695d8d189a1bf3d5e5578622099bdf731544df385b75d

AgentTesla

76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1

AgentTesla

aadb33b16813d11fedf84427622b20fe6381534a5ab973adb309e05b5b7be182

AgentTesla

d94c178a97e83869cb2f1c3e90b2102d16cb7a4527cb3e764c62255b9fc870ec

AgentTesla

e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82

AgentTesla

+ 433 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240528-hhgy4ahf7y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

73113abdadefd54e02f0d3f3aec21c31e96b315dc2ad6ae7d725cd5197e97c48

MD5 hash:

ae27d0d76e10c13d9dc0ad2a6b147756

SHA1 hash:

f1a4bc030b4476ac1450cc797213e34f567dd434

Link:

https://www.unpac.me/results/bbe14c9d-4ce4-4450-9108-6f13765617a9/

SH256 hash:

1a1de9f3fe4c3a7ea7cd547cdd9d78b3873d6e243e544e5bb647452d6d9f6cfe

MD5 hash:

ceb52a5c98659e8905ea76737fe00c01

SHA1 hash:

bb7b30ff84d6aa26eaa0021c9fa3cd2c5a08e694

Link:

https://www.unpac.me/results/bbe14c9d-4ce4-4450-9108-6f13765617a9/

SH256 hash:

2031f6621b67d613266f2e2c344ffb55b770d81f264c8a28d6c0d9ba87a4fa1a

MD5 hash:

4a20d37ca319f8c8f8c21da6d43d1416

SHA1 hash:

76e43c3fb07136a9b237ec28c5864235d5afd8f8

Link:

https://www.unpac.me/results/bbe14c9d-4ce4-4450-9108-6f13765617a9/

SH256 hash:

c2a07282b96bbc8790127ada0efddc66a9c042f113d3fcc967ffd94f8969525e

MD5 hash:

fa6b61295e5716bffa3917a9d669869f

SHA1 hash:

3bba1934bd6c13d8e7cdd1a56006c5fba5fa320b

Link:

https://www.unpac.me/results/bbe14c9d-4ce4-4450-9108-6f13765617a9/

SH256 hash:

e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82

MD5 hash:

45645bca6e28a5514d4f3a38ca852619

SHA1 hash:

4367be00ac12f7dbd3572e3fd57aa84d46f45e58

Link:

https://www.unpac.me/results/bbe14c9d-4ce4-4450-9108-6f13765617a9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e795e06d81c4954723d10cd5affff6a4947b55caad62033fe829ed72aec6dd82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample