MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7bf93addd978e19af134fb6c8aec22d255426e51df7e1a8eda848f9e5b56ed8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7bf93addd978e19af134fb6c8aec22d255426e51df7e1a8eda848f9e5b56ed8
SHA3-384 hash: a33a86b254a916acfb65b25d9a341a7153efa41e5857e34b54939a571558dbb49264ac5b62f3e4e2a77b238e51663a67
SHA1 hash: 5f8fa02b8c876c2d690080655eb956cc7da28f8f
MD5 hash: 64e05d53ba0525b99fabd89c10e83679
humanhash: robin-social-bakerloo-batman
File name:64e05d53ba0525b99fabd89c10e83679.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'759'744 bytes
First seen:2021-02-10 08:48:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:oqN9cI9k9eP79c4RJG9J9cXZ3zDnN9Xozw8oLjYRxc9t9tKFcwg9oq5wN/GGPlyu:C
Threatray 2'658 similar samples on MalwareBazaar
TLSH EF8556127EDB365D3A6950407EDE893E7BAD72F0A221CD2F8166748F537B6109AF4E00
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.sardaplywood.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64e05d53ba0525b99fabd89c10e83679.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 08:54:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4b9652f-f0ca-4f7f-91ed-af0cc5fbbc11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116464/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.536.27295.32615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604131
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e7bf93addd978e19af134fb6c8aec22d255426e51df7e1a8eda848f9e5b56ed8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 15:54:39 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=467zhlo5s6hbtlytj63mrlwcfusvijxfdx36dkhnvbeptznvn3ma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
32d1ed4d0d689e2f7a6a897c95b1dfdc9c0f4dc6db406ae029a6e24011dba053
AgentTesla
54ca6ac69bd791aea2f2791e57fb53549f89967435f79c627e26cf6315e7c905
AgentTesla
60dca03424f304bc301d87cce1088764caaac62d84ab4beb0660beb1c6777213
AgentTesla
6df5a48329bec9ca6f6fbf4b5acc8b662d559c66e48304990756abc4fcbb505b
AgentTesla
7284ce088723465f101b804f22a27e235f6ae8148dd1120508e3fed43348ed54
AgentTesla
b229d8fc5afbdbf0f770fa04c3008733f556a9030fb4b3cc4615f0d9c845bcd8
AgentTesla
b6dff3d26e29336967dea9c2b9eaee29b67ecbaec1021262c4ebfd48f1457a5b
AgentTesla
bd1d09035bdd95f4d3253490eae2291e5461ac9d35885daa41e10c3c4d66edad
AgentTesla
d81b7fc5ccf7a9daefef61a374786666c75edf242c938448446045cc21fed7c7
AgentTesla
f41fce1a8a38854252064b8bea0bb2de490c609a1423478f6d20ccf0ad760a85
AgentTesla
+ 2'648 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210210-8ck2rdm2l2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
233b54ef6453ab9fff9feecf4b2e018b4fc205685a5d20f81726975525093fcc
MD5 hash:
6bf1b63e6c2d632ef86b1bdbb087f68b
SHA1 hash:
8ce13a6ba892f079318f4a781a97d82b6eb41468
Link:
https://www.unpac.me/results/e3b199c5-d198-4aca-b2ed-6bb6716acba7/
SH256 hash:
4c801f11dc92360e7176a3a0eb6a107c01ed27c97e5bbd5b8ea731d27727e10e
MD5 hash:
6405c7d7c219c9ea57c1805b51cde7d9
SHA1 hash:
8a507417863becce2f4159d48b599d6381b29849
Link:
https://www.unpac.me/results/e3b199c5-d198-4aca-b2ed-6bb6716acba7/
SH256 hash:
e7bf93addd978e19af134fb6c8aec22d255426e51df7e1a8eda848f9e5b56ed8
MD5 hash:
64e05d53ba0525b99fabd89c10e83679
SHA1 hash:
5f8fa02b8c876c2d690080655eb956cc7da28f8f
Link:
https://www.unpac.me/results/e3b199c5-d198-4aca-b2ed-6bb6716acba7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/e7bf93addd978e19af134fb6c8aec22d255426e51df7e1a8eda848f9e5b56ed8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e7bf93addd978e19af134fb6c8aec22d255426e51df7e1a8eda848f9e5b56ed8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/973683/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116464/

Comments