MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea35db9af68ce6fc0332e8b04063f821e5a1a61ec576d98e49f954703b23e002. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea35db9af68ce6fc0332e8b04063f821e5a1a61ec576d98e49f954703b23e002
SHA3-384 hash: 932fc2ed70d5d897ebeae68d9c6f43b25e1a3b020f9f4215411297fe29b4afa42fdfb01f12797a87226c6a8c915d8249
SHA1 hash: cb06302983d39d00ad5b7af454028be646b4d675
MD5 hash: c062c232ab53b6bc767922513da5f706
humanhash: zebra-moon-blue-jupiter
File name:Order Inquiry#5500298704.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:520'192 bytes
First seen:2020-10-12 08:48:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:3kQ6pJomy8hMT3BDvHu5paOSRCuBkHiYezb3:3dyJorFjmpaOSRCuBkHi
Threatray 3 similar samples on MalwareBazaar
TLSH B9B46F3C8DD8523B997BE672C0B05AD7F9127A8732409D1F56979B8A1E13B133C89C2D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Mohammed Aquib <event_comm@decart.bg>
Subject: RFQ#5500298704
Attachment: Order Inquiry5500298704.img (contains "Order Inquiry#5500298704.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488211
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea35db9af68ce6fc0332e8b04063f821e5a1a61ec576d98e49f954703b23e002/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 08:16:23 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5i25xgxwrttpyazs5cyeay7yehs2djq6yv3ntdsj7fkhaozd4aba._file
Verdict:
unknown
Similar samples:
27188edb06a9639ca94c77e232de1286d09a70bd8d0c7dfe05bdd11bc4abeeef
AgentTesla
49734ef67be2f2a71545820ed6258683d03a9aa3a97db586aea7d148090b4fa4
AgentTesla
92b9e49e47c5817025c7bd82d503e0b675947d9eee4faa2d8495965c9e6de709
AgentTesla
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201012-zlkx329fb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
a26bff8b5c724f1bc557738407ee9aaf587200740a1092e90f4f6ee0677a5602
MD5 hash:
9acc32d32c080711174c9050ac43febf
SHA1 hash:
7406380b59bee81e0c458f57b05e9b26506c3b7f
Link:
https://www.unpac.me/results/25300798-db11-419c-9f01-ea8837fb40b1/
SH256 hash:
7e2336b083973fa68860c271a12c6c8125240ee3e461605271e4728643cf7e35
MD5 hash:
db5584f65521428eba950162309810a9
SHA1 hash:
8f3848bd03550fcae90277d276de8bbb54480c8d
Link:
https://www.unpac.me/results/25300798-db11-419c-9f01-ea8837fb40b1/
SH256 hash:
ea35db9af68ce6fc0332e8b04063f821e5a1a61ec576d98e49f954703b23e002
MD5 hash:
c062c232ab53b6bc767922513da5f706
SHA1 hash:
cb06302983d39d00ad5b7af454028be646b4d675
Link:
https://www.unpac.me/results/25300798-db11-419c-9f01-ea8837fb40b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea35db9af68ce6fc0332e8b04063f821e5a1a61ec576d98e49f954703b23e002

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 18f0eba236cb77893fe13795d8fd38cf46f42bef8ad2a99bad4820188f67f5b5

AgentTesla

Executable exe ea35db9af68ce6fc0332e8b04063f821e5a1a61ec576d98e49f954703b23e002

(this sample)

  
Dropped by
MD5 4f7cc2212fbac8135125756942a79806
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70014/
  
Dropped by
SHA256 18f0eba236cb77893fe13795d8fd38cf46f42bef8ad2a99bad4820188f67f5b5

Comments