MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9443037ff93a7a493cbd1a87001b339d06a96e9c00e8cc82863522490e456a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	e9443037ff93a7a493cbd1a87001b339d06a96e9c00e8cc82863522490e456a1
SHA3-384 hash:	cf43b99649bec3f6417f3b0c5684d6e4cbe7f7bd867322120b522b2fe79219d5c45ab931733e03748094023aff781ca8
SHA1 hash:	ffeddbc4b46e50d52a7de7062b1d99ffca9c37ad
MD5 hash:	c92dee08d86b6c57d9cb19c6ae53a695
humanhash:	sierra-ten-freddie-sad
File name:	uzo.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	334'848 bytes
First seen:	2020-07-13 14:36:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'636 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	6144:NM1BVHpuzKwI1pnpPmnNgoa9iIWSXwBwyzraYmBxLbxw6SdSu:a1vHpuzKV1pYnNgoCySYwyzmYmrLe6AS
Threatray	10'796 similar samples on MalwareBazaar
TLSH	A064129482DE2706CE614F70BE065712CF7A3E898A72F648EF4A339959673101E73B71
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/25433/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e9443037ff93a7a493cbd1a87001b339d06a96e9c00e8cc82863522490e456a1/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-13 14:36:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5fcdan77sot2je6l2guhaanthhigvfxjyahizsbimnjcjehek2qq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0947492a00cd402a32d498a1d7f1e2d30e1a1c5d48cc65fbef5784f7593b1eee

AgentTesla

1e82507cd7b999f2ffa46f4591486b0ff45fb3fc664419279c15677f4a5a20d9

AgentTesla

63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e

AgentTesla

6ce07f9854b3d9f983265569f34a640a9f274c1bfd30fcba4b6bb64c957ecc54

AgentTesla

75ce329091d54aa2fcf6cd6f58704493e0f4ac878279c49db239140051341931

AgentTesla

8e19aa41d4d9df55db350241ee00258f455501449ad3054c09b0ee7b148da430

AgentTesla

cf4cf0f064bbd1115fdee0971c7ffc9a474984eeda8107040589b425ae1a6605

AgentTesla

d12fda0c8cf02474c474c6cbeba40591ba336a7fdf8d3f164493e5f6200f77ca

AgentTesla

ff3eb81477b36ac2239b623085961439379064929b20c4a69f72cb266adece83

AgentTesla

+ 10'786 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200713-jn43mz9sle/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/25433/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample