MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7aa0873a6b93c66108e1c5a209d2af54060944f00bd412cf9b0f69c4acea9e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7aa0873a6b93c66108e1c5a209d2af54060944f00bd412cf9b0f69c4acea9e1
SHA3-384 hash: 1de14747abdca7fabc7a29f1c7ea138fdde8294542d451bb7d29e030dea9148ab74b636136d9613279c16cf22f06f936
SHA1 hash: 81ed02b464b7a2c6e70732583d3b17869b5ebe79
MD5 hash: e8f94f7ce2524f16aa8e2129dca88f79
humanhash: kitten-robert-comet-violet
File name:SecuriteInfo.com.BackDoor.SpyBotNET.25.23177.1803
Download: download sample
Signature AgentTesla
Create hunting rule
File size:67'304 bytes
First seen:2020-10-10 08:38:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:57sBAD+cQAPzlD+UE8Qh2GXDMwJ6W4Q93p8w1VfcSKBUf2hQM:Zc4lD+JljAW1V4SKBUfc
Threatray 439 similar samples on MalwareBazaar
TLSH DD6320062141F50BDBAB0B781A17ED943BF0D6B44461D04DEAD1529DCF83ABA3E5CACE
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69733/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487483
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7aa0873a6b93c66108e1c5a209d2af54060944f00bd412cf9b0f69c4acea9e1/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 07:29:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
024fe29d6f94fe5fb1afead83c7e0deefa8127669e8e66043334b6bef130f9f8
AgentTesla
14fcbebcc9d8c68ee30c888473ddb5fb08d4f0026b506c66668acb8c49ff0146
AgentTesla
30798ac2e4157b25f548e10f23743df081e52bb62865f3bf539ff54440d6c520
AgentTesla
529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532
AgentTesla
587cf961a9b37e426ce6f1d532d5e40b2e08b67ad48a077537870fe873370d59
AgentTesla
655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1
AgentTesla
a3510ca0d8cbd8fb1035c1c59a8781abfc1e463d0429e108c242c23188f1adcc
AgentTesla
cf22a4ba35e94ec83bdf1aec7b4422009aa33f7c6a2c707513d7b1a9eafb368c
AgentTesla
f2534f52eda2331872b580d6e36f66969b14c0c1407901e41e563f5ab147708c
AgentTesla
fea260d8c97eb6ae4079fb37951566b9f2ec8f785688a3ff63bc7833b6cebdf0
AgentTesla
+ 429 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201010-ql7lqj6cha/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e7aa0873a6b93c66108e1c5a209d2af54060944f00bd412cf9b0f69c4acea9e1
MD5 hash:
e8f94f7ce2524f16aa8e2129dca88f79
SHA1 hash:
81ed02b464b7a2c6e70732583d3b17869b5ebe79
Link:
https://www.unpac.me/results/64828033-e98d-4650-9244-7d33e816a85b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e7aa0873a6b93c66108e1c5a209d2af54060944f00bd412cf9b0f69c4acea9e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e7aa0873a6b93c66108e1c5a209d2af54060944f00bd412cf9b0f69c4acea9e1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/69733/
  
URLhaus
https://urlhaus.abuse.ch/url/678634/
  
Delivery method
Distributed via web download

Comments