MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5
SHA3-384 hash: 8fbcd08c3aa82d4ef8845434f0907604bb58afa06fdc26e899c6a4eeb0581881fa30d3b3dafca0763bd45cfae9ca98be
SHA1 hash: 63435758bc5aeadefa4a3521b1854a64a26d5b86
MD5 hash: d56afebbaeb5821bb8e511f7776c0c9d
humanhash: timing-grey-march-wisconsin
File name:UKLSiP 40-4_RP_Z.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:662'528 bytes
First seen:2021-09-28 08:50:43 UTC
Last seen:2021-09-29 06:25:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:pzXzjNi+hBr7IUAMKTaNsWCgeC/XDNKYbOC2pN/Fh+LpE:pbNi+hBr8UAMKTarChCrJbOF+L
Threatray 10'353 similar samples on MalwareBazaar
TLSH T142E49ED92E7497CBFB5E01F8F5782B8813BA9024E99BF3C2CA46B0B351367644910DD6
File icon (PE):PE icon
dhash icon b2cd9ebaa2866eb2 (6 x AgentTesla, 1 x RedLineStealer, 1 x CrimsonRAT)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UKLSiP 40-4_RP_Z.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-28 08:56:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b34a814b-5aac-4414-9b9d-f2979ab71d19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192477/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.14006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c21bd72e-c47e-41ec-9541-a502459a6698
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859662
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 03:01:31 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5h2e3tdxxyikkqn7ilget3agqqclb7dpaldiv2vomjhwtqh4zpsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0278c4b0397c831f5c3fd4f9ae46093fccee05167dab7391570ba138ad3238a0
AgentTesla
26726a1e321ed1e0f39b676a56b38eb41641f734aa05e0a9669c6144b53ee191
AgentTesla
5e27b2f6ec7f0387f6c380ac26eb924fcc732601c43ed7c400c42ae82fb0de57
AgentTesla
83177bc5d78b3fd5054543d6fc65d16b4576be79447ac5ee894a4b3b330e3764
AgentTesla
ab5e531c49ff91e17814ab2974a20b7b141b42b1d0229e27b20713358effd633
AgentTesla
ad28a444141c8894fc961bb6a358c29bc063e6e1f140526a1cbc973f5966db79
AgentTesla
c3402066324ea3b63b1736d2cb257a441b3660a257751ea54ced7d43864f4d6d
AgentTesla
e0a23d00156db7984951934506ee9edd0249d9a2d39e6bfb285291d510ee054f
AgentTesla
eca9be257354d26e49e1b03d1b8d42228cf66b5ee1b1236afad3c348da43c48b
AgentTesla
+ 10'343 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210928-kr7bfsbbg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
665ae99e68d35e026bbedc2e0023e48f70f3738345d8cd640ceafc8480e80d25
MD5 hash:
1d1faf0fb970d7b4243ae9c17546106e
SHA1 hash:
bd408d63177ff1fee8a62fadfdc10439c2ae5b03
Link:
https://www.unpac.me/results/0a94b26d-4d17-4f49-bf3e-486e12e26e11/
SH256 hash:
660a1abc9ad3b0549267e3f0bb801f623dcbaee3005e60c78180814050b8032e
MD5 hash:
1a1b7d8a316cbc369d0e97f0ede67944
SHA1 hash:
a0bab881cad024714eb37def8fc9ef3681b1e0c6
Link:
https://www.unpac.me/results/0a94b26d-4d17-4f49-bf3e-486e12e26e11/
SH256 hash:
a913f44d086262b26a5452fb9c998fa373474539c1c9338766c1b8d4da42a0d4
MD5 hash:
10a92dafb793e0211b081cd584d85353
SHA1 hash:
8c6122f45c20769073ea12ebda95354bbee8bb4e
Link:
https://www.unpac.me/results/0a94b26d-4d17-4f49-bf3e-486e12e26e11/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/0a94b26d-4d17-4f49-bf3e-486e12e26e11/
SH256 hash:
e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5
MD5 hash:
d56afebbaeb5821bb8e511f7776c0c9d
SHA1 hash:
63435758bc5aeadefa4a3521b1854a64a26d5b86
Link:
https://www.unpac.me/results/0a94b26d-4d17-4f49-bf3e-486e12e26e11/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e9f44dcc77be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192477/

Comments