MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eac54971eb50b657345e1629f6931818ef3eecaa29196b5fa97492ef4aea1198. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eac54971eb50b657345e1629f6931818ef3eecaa29196b5fa97492ef4aea1198
SHA3-384 hash: 820de69dce6a2dd70061e764f6da21bad7473ef9b86ef998bc9823a4400176543bf8a7354c208bef40ce8b0d301a5a41
SHA1 hash: 918568d13791f45978ac5d7da456eb23d3db05ab
MD5 hash: 8d65cbe7e53a7d0c1329fba32ad439b9
humanhash: fourteen-december-moon-michigan
File name:8d65cbe7e53a7d0c1329fba32ad439b9.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:744'960 bytes
First seen:2023-04-05 13:13:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:DwFZRkN2iNrfGq0J6wwxHICb65K3FcgAHCPMRovwHfRH02Y:DwFZON11f46zpa5dgERD/Rq
Threatray 1'864 similar samples on MalwareBazaar
TLSH T136F48C2E8E14C2F5F6BC07B5D0D37F196EA409A247D6851CB87B60C63B85B8A5C0E94F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8d65cbe7e53a7d0c1329fba32ad439b9.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 13:15:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ee6274d-20f2-40a7-85d2-b1b681d683f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380321/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/642d74225df5c94ab9b87ad4/reports/c779bf92-469b-4327-8b56-c257235e0530/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eac54971eb50b657345e1629f6931818ef3eecaa29196b5fa97492ef4aea1198
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/820b04f2-9587-4535-b4aa-ba4b499d6983
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209110
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eac54971eb50b657345e1629f6931818ef3eecaa29196b5fa97492ef4aea1198/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-04 17:17:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
9 of 21 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lcus4plkc3fonc6cyu7neyyddxt53fkfemwwx5josjo6sxkcgma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1ca3575bdfb30ebbb970d00611808d9de9816763aa135d2e22a5b208cd4d3b23
AgentTesla
3f9a3906d05707bc7faba452982b42c6f8244b99e906a9009fefdf3209ab83b9
AgentTesla
54d2d443952347ccc724a8f39806ff9fca252511b2fca91e2fd6c9998612ed32
AgentTesla
58c82c6759d1284e35311a76db2c5c81db938ac0722ab97ee5c56ac75caefe13
AgentTesla
6afb80ce0f8163b83cf83124fa71b192233af267bd7089cfa4a9a2ff47abd854
AgentTesla
8382a6ee4216faec05fbd17a082a85a05c4878ba1dbc440744439a5011eea035
AgentTesla
851f52d27f15eb052fdaef1c0cdf91c9642d5b3c170a62a56c67d5b1b24d0c9f
AgentTesla
8a737bbbfd9a311f50f79ce1c47f6f86a40dcf3372e801e669e5fe9568bad3fe
AgentTesla
94c89d127587016abb2f7926c8eb23c10665787301fc7f5ca711b6bc02e60a88
AgentTesla
bf71bd90c11bb97f08391a42466582b08c5089cf47ea9075dc7e1a24d1b97016
AgentTesla
+ 1'854 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230405-qgnn9agh2v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0906cd504b8a4489aec23b72b945f6b44340bd1d7402ea9d852c108295ee8239
MD5 hash:
8e56ca138d2e8630c48be8766aafc3c6
SHA1 hash:
e74c57394ea991ab61bc60611bd6db0f41892e1b
Link:
https://www.unpac.me/results/33aa1fe8-e3a7-4768-aced-02c2d543b0fc/
SH256 hash:
168fbefc015ca360b4cfcb8d56a6675316091bd19df390bdee65a2db4297b04b
MD5 hash:
caad23481797c0354e29ece61465fb9c
SHA1 hash:
7e13e1d8183d8c9cd150ff74498ed42f9346519f
Link:
https://www.unpac.me/results/33aa1fe8-e3a7-4768-aced-02c2d543b0fc/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/33aa1fe8-e3a7-4768-aced-02c2d543b0fc/
SH256 hash:
05b37b4f31612a4e7d360bc6317422c0945f82b071afc241b58cd3ac72da12ac
MD5 hash:
d2ba439e0a9fa77a2bcc01e411b40d18
SHA1 hash:
59797ff8d300fdacf923b161b59bbce5eb493bc7
Link:
https://www.unpac.me/results/33aa1fe8-e3a7-4768-aced-02c2d543b0fc/
SH256 hash:
b2481fd3c6359e4905878ac8296638ff4b6242bed155fe9e7f95f856ff8095c8
MD5 hash:
bdb0cd01e1bacd4e5de96f2af24d0f71
SHA1 hash:
2c2c43b15aae48075222732242d4bfc15d14cb01
Link:
https://www.unpac.me/results/33aa1fe8-e3a7-4768-aced-02c2d543b0fc/
SH256 hash:
eac54971eb50b657345e1629f6931818ef3eecaa29196b5fa97492ef4aea1198
MD5 hash:
8d65cbe7e53a7d0c1329fba32ad439b9
SHA1 hash:
918568d13791f45978ac5d7da456eb23d3db05ab
Link:
https://www.unpac.me/results/33aa1fe8-e3a7-4768-aced-02c2d543b0fc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eac54971eb50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/eac54971eb50b657345e1629f6931818ef3eecaa29196b5fa97492ef4aea1198

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe eac54971eb50b657345e1629f6931818ef3eecaa29196b5fa97492ef4aea1198

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2403250/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/380321/

Comments