MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8fc1668976751ae8b6a453020ed96065aa48636120b852363c45dfd26ec34d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8fc1668976751ae8b6a453020ed96065aa48636120b852363c45dfd26ec34d8
SHA3-384 hash: ac5143cc25e69842a917658c5d09ab5d2aab0599f79de996c3549bf2eb756426c3d46fdbcb6c147cbbbafd8dcfc849e0
SHA1 hash: bf60d167a86ea4a2d27c2a82667233bf530ae7f5
MD5 hash: 3ca91af4e0cb9dd74822f86bb512d741
humanhash: ink-sixteen-washington-carolina
File name:3ca91af4e0cb9dd74822f86bb512d741.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:628'224 bytes
First seen:2020-11-17 07:18:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:AGE2s38jRl+gPkdyOwg1rlq6/sQl4BX+bOxxyCI:AD2sMCdybCrlqesa4BXYOWC
Threatray 1'255 similar samples on MalwareBazaar
TLSH CED412156BA44CBACBFE5778F0B657018A33E5C0F01FEB470419A8F9B593B9119E02A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://192.210.214.146/webpanel-majorboy2/inc/3321836fba4ddd.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.461.28756.13931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/539055
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8fc1668976751ae8b6a453020ed96065aa48636120b852363c45dfd26ec34d8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 07:19:05 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5d6bm2exm5i25c3kiuycb3mwaznkjbrwcifyki3dyro72jxmgtma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13207816457e33a0430e6da6d1ab86d9797f9c2895a7491c142b5b8bfee3bb0d
AgentTesla
14fbd7283be9da4d0fe9736a3a86b1b779b4c4abdb077f0647625fd5ad8068ec
AgentTesla
5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae
AgentTesla
89a79d6e08f22036f754947d43d1c5b6ba7865e246f462dedea0836dd748a8ea
AgentTesla
a148266deff592c1ba38bc1616f5483f7ba9d73f97dd88a3def54834b8434a1e
AgentTesla
c1e775844ae65d163fef7ec92e2d48ab4fd36ec5412999a5cba1c85ef0edd105
AgentTesla
cbc1b2bb407f02710060a11cdd74386337b92597af3d8de8c1d90c33672868ec
AgentTesla
e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6
AgentTesla
e788686b2a0e0efbf94e3f33a47e63494ca216e965191d82cd2922b8af6fe037
AgentTesla
fb5e770325e5d90b7de5f851ac2c14d72d18571f52d73d1bea12985e72b9c0fa
AgentTesla
+ 1'245 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201117-2yel28k8va/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
3101a6bb40a89c7aaf8a7e5684093c010fab8d47352a58c75b74edd6051b0342
MD5 hash:
203ae0014bc089e13178c7a6da3830f8
SHA1 hash:
01469a6b653fcad88ad2ed2c561e6f6014409d13
Link:
https://www.unpac.me/results/4a606961-d44a-42b4-a328-1090605c7b7d/
SH256 hash:
d7488f4265649364bba97b5b6c3e9129273c99be5fdbdc11700d692a667cf30c
MD5 hash:
3cd3411bc033cdd1e4812ce453adf333
SHA1 hash:
8af9a8fbf7430878d7851314daa53c23d02a0a43
Link:
https://www.unpac.me/results/4a606961-d44a-42b4-a328-1090605c7b7d/
SH256 hash:
e8fc1668976751ae8b6a453020ed96065aa48636120b852363c45dfd26ec34d8
MD5 hash:
3ca91af4e0cb9dd74822f86bb512d741
SHA1 hash:
bf60d167a86ea4a2d27c2a82667233bf530ae7f5
Link:
https://www.unpac.me/results/4a606961-d44a-42b4-a328-1090605c7b7d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e8fc1668976751ae8b6a453020ed96065aa48636120b852363c45dfd26ec34d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/807263/
  
Delivery method
Distributed via web download

Comments