MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb382466c9d42e533fb2fdcd053f0603a5d62a455b7ccf3fe5fa856bbcdcf3b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb382466c9d42e533fb2fdcd053f0603a5d62a455b7ccf3fe5fa856bbcdcf3b7
SHA3-384 hash: a60f93f0707075c7f8ef1d11329bf2805f2e498e01507bfe13468d55d03ed86b0e06ef22208cd29f7d73b693954bfa9b
SHA1 hash: 91227f37b00745e69db5dc62c6ecf4bd4d3a6c21
MD5 hash: 6eb466599f0dbcc8be66902d8b7d5a4b
humanhash: washington-mango-snake-stream
File name:QUOTATION Q 01668-R1 - 4KW.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'064'448 bytes
First seen:2021-06-21 12:56:45 UTC
Last seen:2021-06-21 14:00:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:a7AsWFHmsWSMPQipP5OCXwkPRWuDop8/O1CVSSx83Lo2yy+YicMcFbLIk+lCair5:aUH7ipPLop8m1mS33chYi4oCL4+
Threatray 5'989 similar samples on MalwareBazaar
TLSH 2035BF220ECF832EE2754FB557B0BC8782B6AD662705A2113DC031ADDA335D9DDEE512
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION Q 01668-R1 - 4KW.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-21 12:59:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e49754b-93ab-4d44-a0f8-3eaf97a48b4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167285/
Detection(s):
SecuriteInfo.com.Artemis6EB466599F0D.12080.8955.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebab2b37-05ae-4362-9000-23c18e6aabd7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805316
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb382466c9d42e533fb2fdcd053f0603a5d62a455b7ccf3fe5fa856bbcdcf3b7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 11:10:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5m4cizwj2qxfgp5s7xgqkpygaos5mksfln6m6p7f7kcwxpg46o3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07b7896911fbed2570ef9716256497017a3d2e57b4f992afc3c42aede186284d
AgentTesla
0f974bcf811dbe6c365320b6edfc39895131b0cc09810ea297c1d5a62b05d5c0
AgentTesla
2533bccd55634d0883662979a1ffef4f7d990f7153c28096befa93aee34beded
AgentTesla
3fdc44d1ff4ac710c14a0bf17282299352f959c050d8d62d49890a1a57a424ce
AgentTesla
47ed9a694769d7cb9419f9a7250c67d109567589767862e20669be81536c60ea
AgentTesla
6bb719834486c1edde90d47c165b4e24bcaeb4f0e9ac7468ad95b1d62e918a70
AgentTesla
8636a1af1afb3fa83c218cbc4a18f37782b835d4ab8b27148d6f99cb849453a3
AgentTesla
8a2787b56ac9b4c4d6189a64b5e39f6c827fdde2170b3e756b96345a3d178733
AgentTesla
a17de11c47636ac63c23de8fc6da983f6c7a90d2d36a50cb658716f655a666d5
AgentTesla
a61f3a33d39eed1b5899981f8ba224434e442db843c32804032ac2e8fe22085c
AgentTesla
+ 5'979 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210621-c58qsp9836/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
49018641a3cc3b84a160d0b0af81d89901873f1e4614bc9dbdda92c666cfbdcc
MD5 hash:
db21fb36d1b9cabdb953fd888879c7c7
SHA1 hash:
dc97a689e3b69d91067bf152a0c37baf5f335965
Link:
https://www.unpac.me/results/95f75f97-d57e-430e-844f-871e7fc1158f/
SH256 hash:
c7621305c825c84ed39c11410a3629262391cb0102d43e92a5be5d6ee870ae96
MD5 hash:
04026c4775317f5a14598d52a2370406
SHA1 hash:
bf76dcd9c33f971170a72f145e0460bf52b59e3c
Link:
https://www.unpac.me/results/95f75f97-d57e-430e-844f-871e7fc1158f/
SH256 hash:
79fe7eef4e4681a291db395f70464b53862bde428aa62a5b08f1186172197af3
MD5 hash:
fcdd792874df7a49799e14afccc2d48e
SHA1 hash:
4009a1a9679b49802d0344034fd9c99311f79c80
Link:
https://www.unpac.me/results/95f75f97-d57e-430e-844f-871e7fc1158f/
SH256 hash:
eb382466c9d42e533fb2fdcd053f0603a5d62a455b7ccf3fe5fa856bbcdcf3b7
MD5 hash:
6eb466599f0dbcc8be66902d8b7d5a4b
SHA1 hash:
91227f37b00745e69db5dc62c6ecf4bd4d3a6c21
Link:
https://www.unpac.me/results/95f75f97-d57e-430e-844f-871e7fc1158f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb382466c9d42e533fb2fdcd053f0603a5d62a455b7ccf3fe5fa856bbcdcf3b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 1f5d4e631451efb5fc263a2bc7a537746791ae4345180147f44598a0d6293d0a

AgentTesla

Executable exe eb382466c9d42e533fb2fdcd053f0603a5d62a455b7ccf3fe5fa856bbcdcf3b7

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1f5d4e631451efb5fc263a2bc7a537746791ae4345180147f44598a0d6293d0a
Cape
Cape
https://www.capesandbox.com/analysis/167285/

Comments