MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8cb54fc07335dd8c060f355cfb8df7b13ef33f6a3b7e29020be099c08228bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8cb54fc07335dd8c060f355cfb8df7b13ef33f6a3b7e29020be099c08228bbb
SHA3-384 hash: ab619b814bb31093d7379863630d55d54c5fc359b7e677f14aebdddba33f43b8a33dc0fe98e1d13da91f0b75b71f7898
SHA1 hash: e680a3fdd550eb4a6aca20b30a36e05eb45415ea
MD5 hash: 33e68a7510dcfb5bde633f26fdeca472
humanhash: edward-stream-hotel-bakerloo
File name:SecuriteInfo.com.Trojan.DownloaderNET.345.1426.23758
Download: download sample
Signature AgentTesla
Create hunting rule
File size:377'328 bytes
First seen:2022-09-30 15:36:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 6144:BWanHVEMY712J9kd4hOktonWXXcd/yy1a+:nn1E5E/bhOktonWXOKy1
Threatray 130 similar samples on MalwareBazaar
TLSH T1AE84C37191F16AC9F896CEB29E60E609FFE70C819981821FD13439F61273B84D6491FE
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315226/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.345.1426.23758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
DNS request
Creating a file in the %AppData% subdirectories
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
mimikatz obfuscated overlay packed
Link:
https://www.filescan.io/uploads/63370cea90cb824e9d9fb03e/reports/2ace69a1-0411-4425-8795-a21b167662ca/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d15c0cf1-09ae-4fe2-8c59-18eccc196eaa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081016
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 713569 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 30/09/2022 Architecture: WINDOWS Score: 100 24 Snort IDS alert for network traffic 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 4 other signatures 2->30 6 SecuriteInfo.com.Trojan.DownloaderNET.345.1426.23758.exe 1 2->6         started        process3 file4 20 SecuriteInfo.com.T....1426.23758.exe.log, CSV 6->20 dropped 32 Writes to foreign memory regions 6->32 34 Allocates memory in foreign processes 6->34 36 Injects a PE file into a foreign processes 6->36 10 RegSvcs.exe 2 6->10         started        14 RegSvcs.exe 6->14         started        16 RegSvcs.exe 6->16         started        18 2 other processes 6->18 signatures5 process6 dnsIp7 22 mail.ruraluniv.ac.in 103.231.43.163, 25, 49699 CTRLS-AS-INCtrlSDatacentersLtdIN India 10->22 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->38 40 Tries to steal Mail credentials (via file / registry access) 10->40 42 Tries to harvest and steal ftp login credentials 10->42 44 Tries to harvest and steal browser information (history, passwords, etc) 10->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->48 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8cb54fc07335dd8c060f355cfb8df7b13ef33f6a3b7e29020be099c08228bbb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-30 11:35:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dfvj7ahgno5rqda6nk47og7pmj66m7wuo36febaxyezycbcro5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1da2f6c15940cf37556f471f610fa4812f5d2809d0c9908ac2a2bddae0a56b07
AgentTesla
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979
AgentTesla
54d181deb9b270d27858c1d344d803147adeba2da5e5e27de677c616ffe6236f
AgentTesla
f89bda16cbe45d1a83fe2c107ae20b93f95f433c72b188cb76b8070073f25fc9
AgentTesla
fb559ac4a5283b265e98f6bf9db7875335b649d5737eb379025198459a651128
AgentTesla
fbaa359f59c800c0ce65914c76a95e3daaf82a86a053a08e38e3aa6c5cfb00e0
AgentTesla
+ 120 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220930-s2ggsaehen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/49ab944d-4c0c-4dec-9d57-3aa2a37345c1
Unpacked files
SH256 hash:
7bbd05ff8729f5d5cd1daeed2be08f6e28f0d1c5668626ed2cae7ce1b4de6fd0
MD5 hash:
7e5a526bfa8c3027fa25ebfd19c49c2c
SHA1 hash:
ca26492ec3117498c0669d60056347f7dd573763
Link:
https://www.unpac.me/results/5ef883c8-8a5f-4864-862b-7bff877ed8f0/
SH256 hash:
35f7aac90f980ca22ed89a02f1ba81141b1c1c8987a3cd4c32071d7854dcfad9
MD5 hash:
de8784cd082c399ddd98af770e9ef726
SHA1 hash:
28618c6a0abe25b64abe121d5af8b03435fce955
Link:
https://www.unpac.me/results/5ef883c8-8a5f-4864-862b-7bff877ed8f0/
SH256 hash:
e8cb54fc07335dd8c060f355cfb8df7b13ef33f6a3b7e29020be099c08228bbb
MD5 hash:
33e68a7510dcfb5bde633f26fdeca472
SHA1 hash:
e680a3fdd550eb4a6aca20b30a36e05eb45415ea
Link:
https://www.unpac.me/results/5ef883c8-8a5f-4864-862b-7bff877ed8f0/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8cb54fc0733/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e8cb54fc07335dd8c060f355cfb8df7b13ef33f6a3b7e29020be099c08228bbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/315226/

Comments