MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9e93ee1b8ac56b5e18d639d1d1f5863684b18fdf5b9c5dcc7f542794c8d530b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9e93ee1b8ac56b5e18d639d1d1f5863684b18fdf5b9c5dcc7f542794c8d530b
SHA3-384 hash: 9f7ea2988c65d26e8236476afc8494309e287b046f8a75abf7967f3730ddfe0a1099323f18467104a7b67793bcc35433
SHA1 hash: 696865861fc7b94e828c2dd3a17e5a32ecb6794f
MD5 hash: 77818fc1c6c91a21841b851f9201552b
humanhash: cola-papa-moon-mockingbird
File name:Payment Receipt.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:376'752 bytes
First seen:2022-09-05 11:41:58 UTC
Last seen:2022-09-12 07:50:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:qmZphUp90+yxEw+XfcZfsqiGNOYl+IwghKixMc:qm3O90+yxEw+Xf8lfOYUg00Mc
Threatray 19'041 similar samples on MalwareBazaar
TLSH T12184D6E0317C93CFD0A28DB14FC98A7079F135AC98D1560EA0F69B2D93D6396489C5FA
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4a6a494a48484a4 (65 x AgentTesla, 39 x Formbook, 8 x RemcosRAT)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Payment Receipt.exe
Verdict:
Malicious activity
Analysis date:
2022-09-05 11:50:22 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/48100c66-03ca-46ae-a6ff-32fd7873518d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307834/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.41694.16024.16781.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Launching a process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6315e115b00f73916cba2eed/reports/5d6dbcd3-866a-4170-b51c-19e43a98a71b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25ada6a6-d0c9-4675-b5ef-7897e8122638
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065196
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e9e93ee1b8ac56b5e18d639d1d1f5863684b18fdf5b9c5dcc7f542794c8d530b/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-09-02 05:48:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 40 (47.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hut5ynyvrlllymnmoor2h2ymnuewgh56w44lxgh6vbhstenkmfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f3c70e427d01e986b62b574353b5ae3ffae3ed52dd5fa396beede2d825467fd
AgentTesla
125456fe8027b40d44b67ae250f582c06e13e852d293738b439e5fced671b134
AgentTesla
36a305617925c89f308f366743079aa77710b152fdbbafc44bbe496772e2f7b7
AgentTesla
375b7639c4540b562c82494ffefe34ed936a61178a172121e175f28e038cc43a
AgentTesla
3f7977031544cea82c008f81bae4b293eb8b57a05c68265e2c6222e877dea84a
AgentTesla
3ffd539c318fa1218b38b950f304a3a4b6bdc4c1828ba7512f8633ca2cb1e6ec
AgentTesla
88aa58fece2ec37f0837bdc7592be5363fff5ad8d80b274855f65310bf3886d3
AgentTesla
9fc56286f82d3f7bac3f1043ec1f48a89d9e24d55da753735a587f157a095ea1
AgentTesla
f8e71538897265a9978fd64c698f44966807ae8dcf460d842fbf5d95f93c1514
AgentTesla
+ 19'031 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220905-nt1s8sgcaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2019886914:AAF71hhVeKxibSZMPbQ3vEjrRrxSr_mVGGk/sendDocument
Unpacked files
SH256 hash:
46ca4a6b08ad8ab6e9009f9509efbac44d1e34e46389b4cdddc3947fa486892a
MD5 hash:
6e5c11a1a5f0d4d9f2af6fe8faee0630
SHA1 hash:
b40a1114b770c0dbc7d63060237caf95a5594f3c
Link:
https://www.unpac.me/results/627cc95e-beb1-484d-b58c-a8e1db1f3f85/
SH256 hash:
0d036d4922cf12a3dbb69b81d4b5cc0c2737ba1cca0399648ac92f170f674be2
MD5 hash:
654daffad76e04d4c483c2860618e0c9
SHA1 hash:
93ee51d0cd6e761b5a9e9e6a35bcacade6056156
Link:
https://www.unpac.me/results/627cc95e-beb1-484d-b58c-a8e1db1f3f85/
SH256 hash:
e9e93ee1b8ac56b5e18d639d1d1f5863684b18fdf5b9c5dcc7f542794c8d530b
MD5 hash:
77818fc1c6c91a21841b851f9201552b
SHA1 hash:
696865861fc7b94e828c2dd3a17e5a32ecb6794f
Link:
https://www.unpac.me/results/627cc95e-beb1-484d-b58c-a8e1db1f3f85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e9e93ee1b8ac56b5e18d639d1d1f5863684b18fdf5b9c5dcc7f542794c8d530b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e9e93ee1b8ac56b5e18d639d1d1f5863684b18fdf5b9c5dcc7f542794c8d530b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/307834/

Comments