MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e85bb62a37225d46fa4f1202eb6c0453ff5efcb64a5372d951345f72e67a3e59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e85bb62a37225d46fa4f1202eb6c0453ff5efcb64a5372d951345f72e67a3e59
SHA3-384 hash: c67623782a4e4fbd92a3a7c867971cd65be5999beee03d721b17e746734b99491faee204140f12eb67691dbf8f3a56fc
SHA1 hash: 59baaca57e0e6a52430946844503fa4a81ee1758
MD5 hash: d88aaac3bb0d123f64b32573a3726590
humanhash: carolina-lake-happy-princess
File name:Scan_210715_14_29_19.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:450'560 bytes
First seen:2021-10-07 09:59:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:mK8kouISYGYJPwFv9DbGhuFWiIGWIhr2eLYuOzLMxaZgq4:N8kpIS8JI9+u8JG/aesNOaS
Threatray 10'968 similar samples on MalwareBazaar
TLSH T14DA4022803A39609CE7947F52825ABF01F74B016211DE37C5BE4E1EC3E67BB54AE0697
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195801/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615ec524e3d213d202b9b092/reports/1d5eab5c-42b3-44b8-95b9-7c6235adb7a4/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b18aceb-6842-4e04-ac24-8aed308da963
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866238
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e85bb62a37225d46fa4f1202eb6c0453ff5efcb64a5372d951345f72e67a3e59/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-07 08:09:26 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bn3mkrxejoun6spcibow3aekp7v57fwjjjxfwkrgrpxfzt2hzmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04468aecad4b1a4865d357bb60a6d86060f9390418e9065ede079c1310b3f8f2
AgentTesla
268ca772e3e7bef1a82759917e3b9c4377869aa7cb04a829397978adf495c340
AgentTesla
28361df2e00fefcda07f805ea5c17613194fd69b28f143d393f8aeb123cc5eb8
AgentTesla
620c140c63e18539f6e94c7310b9705bde63425fc8f10628ef24356a26f7db24
AgentTesla
72684a74349ce5fc82b27e2a5db12508ff040c352f920ed69fc688162f722c74
AgentTesla
b7e958ad3d7b10e4a79344e347a8f012f81e4caeb4007fbe0e6dd816bd48e221
AgentTesla
bec15fdabcc004c876a014db3ddf35482d79b606aac9430446878f9cc90c8161
AgentTesla
cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8
AgentTesla
d70dd46e7665afd47e252273c19314500682a1aede68b0d2dbfb653a96468fe1
AgentTesla
eb9581db02db6a23a836ba53574cf0d01bd50a6d368f10f77889a441bcb911cf
AgentTesla
+ 10'958 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211007-l1mtvacbh3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e60c71a3cafa86b370e02270a19023068c2a9491e6e621fac6cda033eb488081
MD5 hash:
132db1617757bd8770383741aa28b9fa
SHA1 hash:
d77cf66e14b5935df3ab42d51131d135a5e897fa
Link:
https://www.unpac.me/results/b4ee00d2-9bd5-4ea1-b646-a2cee79ca18e/
SH256 hash:
f922c3553e226a5fe416b35c57cc9fcb9521108e9c3b4b438ca34aa5c74403d8
MD5 hash:
5b2019cfc33bb1cc1f928babc5d23e0f
SHA1 hash:
ae7bd55f10713416943a5ece33091cfbd68467d9
Link:
https://www.unpac.me/results/b4ee00d2-9bd5-4ea1-b646-a2cee79ca18e/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/b4ee00d2-9bd5-4ea1-b646-a2cee79ca18e/
SH256 hash:
e85bb62a37225d46fa4f1202eb6c0453ff5efcb64a5372d951345f72e67a3e59
MD5 hash:
d88aaac3bb0d123f64b32573a3726590
SHA1 hash:
59baaca57e0e6a52430946844503fa4a81ee1758
Link:
https://www.unpac.me/results/b4ee00d2-9bd5-4ea1-b646-a2cee79ca18e/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e85bb62a3722/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e85bb62a37225d46fa4f1202eb6c0453ff5efcb64a5372d951345f72e67a3e59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e85bb62a37225d46fa4f1202eb6c0453ff5efcb64a5372d951345f72e67a3e59

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195801/

Comments