MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e
SHA3-384 hash:	442e45f9e4992c7b695c7cf756ad0ba663a7694e9019c74c1d028f2f3781bc4e0e89f3dc1e61f535ef8314526e12d43c
SHA1 hash:	aff5b20b0787da9302f2124f5f5cf0be131185ed
MD5 hash:	ecddfebc3686f43e64d1e75ce1bf6d00
humanhash:	sweet-colorado-fanta-eighteen
File name:	SecuriteInfo.com.BackDoor.SpyBotNET.25.5189.31965
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	456'192 bytes
First seen:	2020-11-19 15:10:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:bUm7AbR979jy2VgY83p41QCxG9orr8iMcViztPSYKi9CRCeDzyBM+pXJFFn:bYR9NVx1G9ov8FcIztaYvxeDzyZbFFn
TLSH	4AA47C722D46146EC5AE0B73446581F1BAB63EC73FE48B0E61AA731C0E35B26E753217
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.5189.31965.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/543113

Signature

.NET source code contains very large array initializations

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-19 15:11:13 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5lipn34iyfe7immbfhww4pxv7myl2kvqhl7pgys4ucgrwl3pdaha._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201119-9t5nn3qmzx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

Unpacked files

SH256 hash:

ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e

MD5 hash:

ecddfebc3686f43e64d1e75ce1bf6d00

SHA1 hash:

aff5b20b0787da9302f2124f5f5cf0be131185ed

Link:

https://www.unpac.me/results/48561ea5-4587-4be1-9efa-edc922a2c77a/

SH256 hash:

b2daba8bd9bd8180b3a3f99be8b5c5341cf5393d09c3975eaf8cc25fd6c004fe

MD5 hash:

157dbc7d2a3ff1c46eeddea60af1a3b4

SHA1 hash:

4c501dec940f11fb180224faceff33617f5b98f4

Link:

https://www.unpac.me/results/48561ea5-4587-4be1-9efa-edc922a2c77a/

SH256 hash:

a6e567447515432949e56a3a65c93dd8415a20ba7dca3d57527eb23ead38cedc

MD5 hash:

33f96f0a3de6de28155a15469b36bdda

SHA1 hash:

b8456273c223336a349ac6bf85ea9467ca4f40e0

Link:

https://www.unpac.me/results/48561ea5-4587-4be1-9efa-edc922a2c77a/

SH256 hash:

d235ab2f8da688f944c49c5d4c837bf77e4cfcd245e7630b936bb82a706b2721

MD5 hash:

edd66d08b7f1bef7a96493554fc0195d

SHA1 hash:

2400d1b60a7c17514dd8ec70214ba3118558f36e

Link:

https://www.unpac.me/results/48561ea5-4587-4be1-9efa-edc922a2c77a/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/48561ea5-4587-4be1-9efa-edc922a2c77a/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample