MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e998f0cbd6aef5d5efa2405caccf5594bdff5e18383a8aeccc26caa6b49a1ee0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e998f0cbd6aef5d5efa2405caccf5594bdff5e18383a8aeccc26caa6b49a1ee0
SHA3-384 hash: b65a523724700a78883edf4d52aa4e3cf9db190d0d24ad19481ba4597c85fbe7c184244e201a378af97225cf8568fb01
SHA1 hash: 773cfc45676644b969dfbb2e0d839b7c34eb8151
MD5 hash: d6aed3b4faa42ac4d003f77f0fde206a
humanhash: batman-whiskey-hydrogen-green
File name:Order List.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:606'720 bytes
First seen:2020-11-05 09:56:11 UTC
Last seen:2020-11-05 11:51:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:ikGJKTlo6VuPeR6u8KacQ/gAbqyjq0UVID3UiTCv1oLAEt9ZlwPC+loarN+fzo42:iMTaKp/FFSXnKdCvSQcdCVNEAmD
Threatray 1'724 similar samples on MalwareBazaar
TLSH B5D442F450EF109AF19B883526ADBDA001B2B9C7DBCA5A08137DF5312BBDA533B0564D
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83187/
Detection(s):
SecuriteInfo.com.Generic.mg.d6aed3b4faa42ac4.6639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/521244
Signature
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e998f0cbd6aef5d5efa2405caccf5594bdff5e18383a8aeccc26caa6b49a1ee0/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 09:25:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gmpbs6wv325l35cibokzt2vss676xqyha5iv3gme3fknne2d3qa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
01330ada2211171d1bb5db977363a94cea239c455ea8c2fabea401a29b1c8143
AgentTesla
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
090b379ffd22f27e1070c2f56d6a7833a6f04451cd4b065571dd2e04e62faac5
AgentTesla
20dbea65f9ea5d713ead877a8fdca2bb606af820520ea99fafcef39fc7652ce2
AgentTesla
252cd2dc483bc1fe2a6b555dbf762cac69a24b6526abd6cbc4c501eb7ac21b21
AgentTesla
2565e3190558400fb85b0389e7aadf850a4c32d2b7b7d09e37820b8ad361c39a
AgentTesla
2b299b1a485f9387dcc44b788637e9d81430d06a0a64c2bf96754b153bee7746
AgentTesla
3b8067fda3a018631e93bcc5e5ab73c56adc91c4964c45c092d42f2cc9acea6e
AgentTesla
6609cf9b0aefabaaf1bccc04237e6ff32315960166bf4aa2ff5372cfb51c80d3
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
+ 1'714 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201105-cl2q2jqh4a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e998f0cbd6aef5d5efa2405caccf5594bdff5e18383a8aeccc26caa6b49a1ee0
MD5 hash:
d6aed3b4faa42ac4d003f77f0fde206a
SHA1 hash:
773cfc45676644b969dfbb2e0d839b7c34eb8151
Link:
https://www.unpac.me/results/68c62ffe-775c-499c-8705-c800ba238732/
SH256 hash:
21f0328ec23287bafff6b257ca443c66ba4c5b2dc3aad31711a1a37ee61662c6
MD5 hash:
c5b6980f4de4b1cdeccd872ee9a54a1b
SHA1 hash:
60a3bd1dd5828e486f4bf19b923f0a36b5898e0d
Link:
https://www.unpac.me/results/68c62ffe-775c-499c-8705-c800ba238732/
SH256 hash:
c70811be859d07f91cb24273f3cbaca1ef9345e3a541502304866e96242b290b
MD5 hash:
d7ed4b42cf6c8b314acd2b4f874e59bc
SHA1 hash:
a53872ec54a6be7c01864db0b485382ddb9418de
Link:
https://www.unpac.me/results/68c62ffe-775c-499c-8705-c800ba238732/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 62c6ae8e0c812a058659ce77a1891469dd570732235b7ac4b5199e401e92f2da

AgentTesla

Executable exe e998f0cbd6aef5d5efa2405caccf5594bdff5e18383a8aeccc26caa6b49a1ee0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 62c6ae8e0c812a058659ce77a1891469dd570732235b7ac4b5199e401e92f2da
Cape
Cape
https://www.capesandbox.com/analysis/83187/

Comments