MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e84d812785fb97f21fbf2343649f166e617de4b321484edf16ed4f44da6e9cba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e84d812785fb97f21fbf2343649f166e617de4b321484edf16ed4f44da6e9cba
SHA3-384 hash: 6922116a0df32b61ca51cdeca9d4a92eaec16ff2b37fba26c41f440fd58f2e35329139a04a9067954ea99d837441a9e3
SHA1 hash: 0f8c34677f8ab3da4480b6bb1b95250450240174
MD5 hash: ae9fdeb83054c5b5f1f4d231904a8dde
humanhash: blue-fifteen-princess-illinois
File name:Tltoms.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'155'584 bytes
First seen:2021-09-28 11:37:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:o/gecNU2zqX6lUB2AkeKuijP3zdMof4aHiX3cSIAaxa:xDNgWUB2Akee3zxfliX3cH
Threatray 10'765 similar samples on MalwareBazaar
TLSH T12F359D0077E88A29D6EE3734E4704A5412F6FC56A57ED38E6D05B9AE1EB3B814D103B3
dhash icon 6052b064ec6c6268 (2 x AgentTesla)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tltoms.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 11:45:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc66e11e-0adf-4e4d-99f4-9137d8681201

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Malware.AI.1767554360.29023.9314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81244d4d-5306-430b-8ff5-a95d5f6fcebe
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859784
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492215 Sample: Tltoms.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AgentTesla 2->41 43 3 other signatures 2->43 7 Tltoms.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Local\Temp\Tltoms.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->29 dropped 31 C:\Users\user\...\Tltoms.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\Tltoms.exe.log, ASCII 7->33 dropped 45 Writes to foreign memory regions 7->45 47 Allocates memory in foreign processes 7->47 49 Injects a PE file into a foreign processes 7->49 11 Tltoms.exe 2 7->11         started        14 AdvancedRun.exe 1 7->14         started        17 powershell.exe 18 7->17         started        19 AdvancedRun.exe 1 7->19         started        signatures5 process6 dnsIp7 51 Multi AV Scanner detection for dropped file 11->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->53 55 Machine Learning detection for dropped file 11->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->57 35 192.168.2.1 unknown unknown 14->35 21 AdvancedRun.exe 14->21         started        23 conhost.exe 17->23         started        25 AdvancedRun.exe 19->25         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e84d812785fb97f21fbf2343649f166e617de4b321484edf16ed4f44da6e9cba/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 01:11:36 UTC
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bgycj4f7ol7eh57enbwjhywnzqx3zftefee5xyw5vhujwtots5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
337a895245dcdbe522c4320dbe1dfd62e346aecad8246f9b895a5460211865b0
AgentTesla
360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca
AgentTesla
3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f
AgentTesla
4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81
AgentTesla
517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
AgentTesla
7868ece7b29dcba357ff00b1e0394b6e8062eae5512c08a0dea575c2d4f55230
AgentTesla
79ff327848f9254764561866a5b26ed55aa24453aea69b1f42dbcad5ac140b00
AgentTesla
e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077
AgentTesla
ecb4fe719a7fc1365d70ec9db8b3c74cb4bf8968324c25d3817fcc5628fae6fa
AgentTesla
+ 10'755 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210928-nrrsjsbge8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
cfb5b5e56743a2cc9d8c4bfd35fc1ad45d38f8ff606271d263d2e1f225dd1b6e
MD5 hash:
d27be2e62f910b822660aa165a097294
SHA1 hash:
d71f3816162cc7a80057d17929ab9a0b5ebf65b6
Link:
https://www.unpac.me/results/e6d77850-ed45-465f-92ff-d6e597a85c41/
SH256 hash:
2c8f27c0912e6b41d431c86e0fa605baa1d1d3587e66ef27f4c8c7a95cfb223e
MD5 hash:
ea52186d5c738862b8b817b0c8e705b0
SHA1 hash:
24a3de5e8a8c8c87fed8e62694182b1eb832322e
Link:
https://www.unpac.me/results/e6d77850-ed45-465f-92ff-d6e597a85c41/
SH256 hash:
e84d812785fb97f21fbf2343649f166e617de4b321484edf16ed4f44da6e9cba
MD5 hash:
ae9fdeb83054c5b5f1f4d231904a8dde
SHA1 hash:
0f8c34677f8ab3da4480b6bb1b95250450240174
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/e6d77850-ed45-465f-92ff-d6e597a85c41/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e84d812785fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e84d812785fb97f21fbf2343649f166e617de4b321484edf16ed4f44da6e9cba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_karkoff_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments