MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c
SHA3-384 hash: f7bb7ddf2ffe6a0949bd61ce0fb2d62d605412e6fd02852d70fb49979a67d4189117443d166728248aeedf9e324300fd
SHA1 hash: 90af0aeb4514711a249939df708d832798b8108f
MD5 hash: 7e1d71e078202fa97958cc48f0e93d18
humanhash: double-angel-butter-finch
File name:scan-Soa_2020_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:547'840 bytes
First seen:2020-10-07 05:05:48 UTC
Last seen:2020-10-07 06:24:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c06a0c2cba6ac708df6c8aa85f8baf3 (1 x AgentTesla)
ssdeep 12288:N5LBQ9+u7yLDX3ZVds99MOtiDkc4BSjJZXSln4oSt:v8+u7ODX3ygO1cCn4l
Threatray 2'108 similar samples on MalwareBazaar
TLSH 67C42345E5A3A692E18558B1204D57F9B396E9020FD06332DEF3C72BBA74FC8F1C5292
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: maersk.com
Sending IP: 156.96.156.196
From: Lily Yan<yan.chen@maersk.com>
Reply-To: cmk.electno@gmail.com
Subject: MAERSK LINE STATEMENT OF ACCOUNT SEPTEMBER 2020
Attachment: scan-Soa_2020_pdf.iso (contains "scan-Soa_2020_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68773/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483671
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 02:00:42 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5heqaklczdqxpay44wse4yx5bl4x36crqas7y2mpo6jzuehw32ga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2c0e567384a59c0f113b5016aae24db45e1a7e39a0c9feb157eb98864af4a51f
AgentTesla
814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
AgentTesla
c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0
AgentTesla
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
AgentTesla
f00571fb0c082a4a7d66d08af1628b4be7515a74e153adee51db8136ed5918ce
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 2'098 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201007-enabvymvmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c
MD5 hash:
7e1d71e078202fa97958cc48f0e93d18
SHA1 hash:
90af0aeb4514711a249939df708d832798b8108f
Link:
https://www.unpac.me/results/7e2f4055-72fa-47d5-af2a-200502384a14/
SH256 hash:
2145aa5d3cbde48c1b1a0ff23b27fa67a1b659dca3875ed02d3c0a2885622a3d
MD5 hash:
039cb8369a11dd0a7079c96fceb658e4
SHA1 hash:
ab98840907fb288b6eb5eec7d6701a5b5951c562
Link:
https://www.unpac.me/results/7e2f4055-72fa-47d5-af2a-200502384a14/
SH256 hash:
34090a31848039affddbca08f832a3aa304cd841dab1eafe4bf7db4eb17c85dd
MD5 hash:
f1ed5c16789ff18e3363e1f480785c73
SHA1 hash:
255ce193135af00a95509df6c09fae363468642e
Link:
https://www.unpac.me/results/7e2f4055-72fa-47d5-af2a-200502384a14/
SH256 hash:
b900fb8c33794c5b653df50232ef8cb42973c591913a60ef062333967fe32fa5
MD5 hash:
b2767db254a48e2dc6f12235cf749d67
SHA1 hash:
383004f6634f63897a1772c93ef5adf08783aecb
Link:
https://www.unpac.me/results/7e2f4055-72fa-47d5-af2a-200502384a14/
SH256 hash:
325058849320b9593718a550bfc7d305fb85ba48edfdc1dc99ca1aa0d4e40711
MD5 hash:
e5e5643562e5acb7198be69e78e9997a
SHA1 hash:
acde6f93332e5a7dc73f20c04a10a18c21ab5274
Link:
https://www.unpac.me/results/7e2f4055-72fa-47d5-af2a-200502384a14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 94c5696327de22517c0c33afcc399a2c8ef551c3b8a8fcb53db4b60cd7a56897

AgentTesla

Executable exe e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c

(this sample)

  
Dropped by
MD5 eaef4a4bafe94d7b5af0444cb0ffe773
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68773/
  
Dropped by
SHA256 94c5696327de22517c0c33afcc399a2c8ef551c3b8a8fcb53db4b60cd7a56897

Comments