MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea0ea74cfda886ded0a227a990847197c636a38533c4ea211e07c3dc17ab4e96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea0ea74cfda886ded0a227a990847197c636a38533c4ea211e07c3dc17ab4e96
SHA3-384 hash: b9cba7c8412949091d7bb8fd49fac3b903649984c333611c518927442096333d3da1caa13d08ceef05e6cc3065665354
SHA1 hash: 3ae21a10381de7443539550713478aa906b31e9a
MD5 hash: fd6e3584b461648ca77187a9b4adb947
humanhash: alanine-autumn-vegan-illinois
File name:TT copy for $39,500.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'374'720 bytes
First seen:2022-02-17 06:39:29 UTC
Last seen:2022-02-17 08:28:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:f8V8z5dQCT0V4n979a5qQPUkDGdQOBPUa/0mw7Xy8qISttHjbD8/6Hbw:ffFdQCT4c9JYqQPfDGWN8w7iHIq1jfHb
Threatray 15'431 similar samples on MalwareBazaar
TLSH T1C155E05631EF1046D3A2EBF20FD8BCBF9A5AF177120F753A31816B468376A449A02375
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242132/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.56335.11446.31565.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620dedcea2660f3bb9edfb8c/reports/a70a6297-286f-47cc-bfe2-5fc30652e3e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941361
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573839 Sample: TT copy for $39,500.exe Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 7 other signatures 2->47 7 TT copy for $39,500.exe 3 2->7         started        10 nwlrFL.exe 3 2->10         started        13 nwlrFL.exe 2 2->13         started        process3 file4 33 C:\Users\user\...\TT copy for $39,500.exe.log, ASCII 7->33 dropped 15 TT copy for $39,500.exe 2 7->15         started        49 Multi AV Scanner detection for dropped file 10->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->51 53 Machine Learning detection for dropped file 10->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->55 18 nwlrFL.exe 2 10->18         started        20 nwlrFL.exe 10->20         started        22 nwlrFL.exe 13->22         started        signatures5 process6 signatures7 65 Injects a PE file into a foreign processes 15->65 24 TT copy for $39,500.exe 2 5 15->24         started        29 nwlrFL.exe 18->29         started        31 nwlrFL.exe 18->31         started        process8 dnsIp9 39 us2.smtp.mailhostbox.com 208.91.199.223, 49844, 587 PUBLIC-DOMAIN-REGISTRYUS United States 24->39 35 C:\Users\user\AppData\Roaming\...\nwlrFL.exe, PE32 24->35 dropped 37 C:\Users\user\...\nwlrFL.exe:Zone.Identifier, ASCII 24->37 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->57 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal ftp login credentials 24->61 63 2 other signatures 24->63 file10 signatures11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea0ea74cfda886ded0a227a990847197c636a38533c4ea211e07c3dc17ab4e96/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 01:01:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ihkoth5vcdn5ufce6uzbbdrs7ddni4fgpcouii6a7b5yf5lj2la._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1742850c2c5b2bc8e6d990f23be99e4a40c7cc5146c7e4610b2bc4914bfb09b9
AgentTesla
29a8a708880ca187202112de47bed915bf9fd0e64cab0d08a839b7ede6c16506
AgentTesla
47af683447acb9520a6e9ff7b91a19c310977cc1e1ef0ee2e0a10c91e5c2fb96
AgentTesla
69d6ba4ed00ec8b1990fd34b31f2b7abba0e3b711e85a9f0bc11276325d5ddb4
AgentTesla
8749c16cb8cc3999e4db4fa619da8d90fcdee57c7c99479e96e5eb3427a427a0
AgentTesla
b528aab1cf14c985fecd7f6f2fd0a31101cd952abedbd10cf7357708057d91b9
AgentTesla
ed817c297bb2d98e89f3534b4936cc40d5829d7812c6ae0768a774f16685ae08
AgentTesla
+ 15'421 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220217-he9jyabcdj/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
63b6403c6ea1378c0ff49f069597b45496dba6c0161d240e64885ab6f0806d04
MD5 hash:
72b143fd989c37772556bf302ac33be1
SHA1 hash:
ee377db4778e70261d34f8210208069df41a12ef
Link:
https://www.unpac.me/results/bd24e2a0-b3f5-4bf7-842a-1de64cdd27fa/
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/bd24e2a0-b3f5-4bf7-842a-1de64cdd27fa/
SH256 hash:
ce2af55387c19d840e6189bffa014d76657d6c50012d2b5477e7a6683fc045bb
MD5 hash:
e6a5b6df1763f22a6f339e7c8fb907a3
SHA1 hash:
557af2b919706a2965dd9bab0ddaa7f8ea641c59
Link:
https://www.unpac.me/results/bd24e2a0-b3f5-4bf7-842a-1de64cdd27fa/
SH256 hash:
ed817c297bb2d98e89f3534b4936cc40d5829d7812c6ae0768a774f16685ae08
MD5 hash:
7d494865be6a5a69e206b935379af1d4
SHA1 hash:
44011598c5279c746351451f43af333a67479c61
Link:
https://www.unpac.me/results/bd24e2a0-b3f5-4bf7-842a-1de64cdd27fa/
SH256 hash:
58348843636e51ee44f6623952b098f272c0a27c11c4b56932dea3fc48dfa32a
MD5 hash:
813b573e83b02e9a0e22cb3bdc2f5612
SHA1 hash:
005da14d771909a54c3f6484d8a0b337ca38bdb7
Link:
https://www.unpac.me/results/bd24e2a0-b3f5-4bf7-842a-1de64cdd27fa/
SH256 hash:
ea0ea74cfda886ded0a227a990847197c636a38533c4ea211e07c3dc17ab4e96
MD5 hash:
fd6e3584b461648ca77187a9b4adb947
SHA1 hash:
3ae21a10381de7443539550713478aa906b31e9a
Link:
https://www.unpac.me/results/bd24e2a0-b3f5-4bf7-842a-1de64cdd27fa/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ea0ea74cfda8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea0ea74cfda886ded0a227a990847197c636a38533c4ea211e07c3dc17ab4e96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ea0ea74cfda886ded0a227a990847197c636a38533c4ea211e07c3dc17ab4e96

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/242132/

Comments