MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3
SHA3-384 hash: c861be34402ec88778dcf859886fc1727b4a574603cc715de860a2205e30b4acf1b5082edb892720816e59e0ca44cef0
SHA1 hash: 6ec956adc44e5f1834f529f373d3d7502addb972
MD5 hash: fb59bd93aca2bf3697fab76f8154e347
humanhash: mississippi-network-lactose-sad
File name:SHIPMENT DOCUMENTS CI,PL.BL.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:781'312 bytes
First seen:2020-10-19 06:30:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jDJ2bQKGQQ4PAErhi21O2+TcF39kGIZZi022etWizitlRV2m:jAbiQFPFhL1Y839CZiP2QWimX2m
Threatray 625 similar samples on MalwareBazaar
TLSH 91F4AE1422951F58F07D97764260449083F6BD02CB38C94FBDD97AC92E72F82CB67A9B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: host3.facelube.com
Sending IP: 209.59.173.188
From: Zahi (APSCO) <cchen@facelube.com>
Subject: RE: shipment details
Attachment: SHIPMENT DOCUMENTS CI,PL.BL.pdf.img (contains "SHIPMENT DOCUMENTS CI,PL.BL.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72728/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494925
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 00:28:25 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5khctdrxwqro6yvhpqya5z7wb65cgnxuk7b3odatlombajoyidbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13f1fde2f8426f9ee2addd7ff3a710d9fb7042d875fdf3f0e8e080030da53b83
AgentTesla
2035071dea13b48db2cc9248961f3f55a41e60b0b346f190a3a69b75670b99bc
AgentTesla
2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
4636055b5170ddb11d94a466c0c93e57ad40caf68a036274bdf2ded620a22bce
AgentTesla
79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5
AgentTesla
80f45086395417ea3bda68a20d2fc5b0bc5050c000023d82544fd2b5b5a8ce89
AgentTesla
a47357333cedf89cd51745ccd03a9bc33653e6aa5dcce2214934286d7c6b727d
AgentTesla
b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902
AgentTesla
fd1f86d98d28f8e9ae73acf4609e8cc0e669e97495c7d9bf679151b47432e005
AgentTesla
+ 615 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201019-vb8ldj6hsx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
5497b7131e7e5d1c25032198da2de7f42e2a4d3b7850783b47541e0c40c4c852
MD5 hash:
8775253f56952d7570ba3ac3dec7baa3
SHA1 hash:
93f83b7963ec387d2564f06077e0c751c5c1ea58
Link:
https://www.unpac.me/results/5da9b9d1-b3ad-4072-8ce3-80964334ab5c/
SH256 hash:
ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3
MD5 hash:
fb59bd93aca2bf3697fab76f8154e347
SHA1 hash:
6ec956adc44e5f1834f529f373d3d7502addb972
Link:
https://www.unpac.me/results/5da9b9d1-b3ad-4072-8ce3-80964334ab5c/
SH256 hash:
dc4f8c565b832866540d5cbcad70c308d6bfb6a9d2ba3c4f0d79bb90ac00248b
MD5 hash:
60db5d289dd2cb9446f068b7349bc76f
SHA1 hash:
7eb9d00ec64a15277c853aba20993c416ab06f6a
Link:
https://www.unpac.me/results/5da9b9d1-b3ad-4072-8ce3-80964334ab5c/
SH256 hash:
a25caa0fa1fff974f78e54016f221a10029c61b576b2f02b6cb668e900e5b22b
MD5 hash:
ca42e3ae6551828e18b8916f9acf75aa
SHA1 hash:
9ec7e415ea6e7504ee23e42f96f212c71d8990b7
Link:
https://www.unpac.me/results/5da9b9d1-b3ad-4072-8ce3-80964334ab5c/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/5da9b9d1-b3ad-4072-8ce3-80964334ab5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img bf8f615bd09f284b9a0353652050f82b8450e02bf3f1117b4885127d1ae5bb67

AgentTesla

Executable exe ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3

(this sample)

  
Dropped by
MD5 592e0078f680dac68036a6a0f898e79a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bf8f615bd09f284b9a0353652050f82b8450e02bf3f1117b4885127d1ae5bb67
Cape
Cape
https://www.capesandbox.com/analysis/72728/

Comments