MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9636453620b1cbeb4674bd9cbec694e0c155fd78354cad48e4c5bb7e33b7fd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	e9636453620b1cbeb4674bd9cbec694e0c155fd78354cad48e4c5bb7e33b7fd9
SHA3-384 hash:	18f3d36e468bbb794d0e230c199e3bb5dc0e811480fadacfd2a95d64d9fce89e54bd3b57d266bd15816d15be92435031
SHA1 hash:	36c48f5221ad073c627a3e23012291abd98e31fa
MD5 hash:	c57b6e188875d865dd1f64e3d21c0f5c
humanhash:	lamp-failed-hamper-friend
File name:	PO-521_sg-venture.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	517'632 bytes
First seen:	2021-05-10 07:10:53 UTC
Last seen:	2021-06-02 19:08:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:iOHFMw7Y9MA59CyMAn0G6V2RaC0L3vYigLG:iOH+w09tVw28zvYigLG
Threatray	4'731 similar samples on MalwareBazaar
TLSH	08B4E040E90DA899E7D9D5B3B53A8B510575BFEBC2F8819F26A9331412F37C320B6C16
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/153773/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.9482.18346.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/779635

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e9636453620b1cbeb4674bd9cbec694e0c155fd78354cad48e4c5bb7e33b7fd9/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2021-05-09 22:09:50 UTC

AV detection:

13 of 29 (44.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5frwiu3cbmol5ndhjpm4x3djjygbkx6xqnkmvveojrn3pyz3p7mq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f

AgentTesla

0e770b4b1dff63afb16c1ca24f74e45905ab4e9baa1cd7ec48dada2deb252d8f

AgentTesla

24a014a86dd35d81185598927f6b6638c314e051845d72e156b8123226e39afe

AgentTesla

698a07ee43319ed49e3a64c97c8626d26b7a9d5ff6c7c02d9ce87d0089c9ed90

AgentTesla

9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0

AgentTesla

b51842033a6ed385e07f4de9093412e410f50da878e761de8725c184f2327ec1

AgentTesla

be7af0c2f9356ba016baa597e558df431fa2c5fbd4ac2fbf8d86a24662dcd464

AgentTesla

de0f6d3156577dbace690119ed748be66c64e539402780878490839dd0b24234

AgentTesla

fd2a7682f371ab740d8691e13d1ab27f3919414019afd1b6ddf935394c59ba60

AgentTesla

+ 4'721 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210510-yj9d1bt3as/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

a2d0e4b945aa6affd37ab9174ebc17e6610e595a6c7b81f39ef8a541bfb0c1d3

MD5 hash:

8ce29709bd9aa28a746982a52d04ca48

SHA1 hash:

f7ce1c829041c39b65f543012b449dd19cbde417

Link:

https://www.unpac.me/results/edddebc9-7d30-4ec7-95f7-e9b0570907ab/

SH256 hash:

6324cce712caca4580a4d39395c3c660f518875cadceedb31f878215dfa8fd32

MD5 hash:

d9d95c37606df16a123f27869ddd0944

SHA1 hash:

1d3a51e57368b0fa292f884557b6b1d90c49072d

Link:

https://www.unpac.me/results/edddebc9-7d30-4ec7-95f7-e9b0570907ab/

SH256 hash:

611aaf3b809044463712325fdfdbf84bf32d2341c35ba51d80aad7acc03fc96f

MD5 hash:

7e25dfb935dd9f349e77eb479aa1a29b

SHA1 hash:

11f30a0c8a14243afa4dc2d6e6478b9e9bf245fb

Link:

https://www.unpac.me/results/edddebc9-7d30-4ec7-95f7-e9b0570907ab/

SH256 hash:

e9636453620b1cbeb4674bd9cbec694e0c155fd78354cad48e4c5bb7e33b7fd9

MD5 hash:

c57b6e188875d865dd1f64e3d21c0f5c

SHA1 hash:

36c48f5221ad073c627a3e23012291abd98e31fa

Link:

https://www.unpac.me/results/edddebc9-7d30-4ec7-95f7-e9b0570907ab/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e9636453620b1cbeb4674bd9cbec694e0c155fd78354cad48e4c5bb7e33b7fd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/153773/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample