MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb477109f194850024798eb750fbf01dd36027a1afcb559a539d988f382de5ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb477109f194850024798eb750fbf01dd36027a1afcb559a539d988f382de5ab
SHA3-384 hash: 0c40e3a5e47fc07a36784cf23c60ba95fdd68b6b7b7792e26812e57c83bbd3df4fb133967ed0af22b47e0c462d79d91f
SHA1 hash: dedc17c0e559fab4c363777088aeebb2482e4f79
MD5 hash: cf00d12d20c4e9fc92bb7b586b538a51
humanhash: don-carpet-north-mango
File name:cf00d12d20c4e9fc92bb7b586b538a51.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:933'888 bytes
First seen:2021-02-03 18:55:18 UTC
Last seen:2021-02-03 21:01:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:PTflP7ooeOy6halTQCUiUDSqTWV2k7qQAReLLzx1kBJqzht/hVZKy/aMg+NoEc1:PTdPuO9hiQ/1iqQYizXhVZKKaMg+SEc
Threatray 2'415 similar samples on MalwareBazaar
TLSH F215CF512278DA44DDF8E7792624837013FDAF3EA25AD2593C6BF16E34323584E23A4D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.sottoboats.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf00d12d20c4e9fc92bb7b586b538a51.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-03 19:06:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/878f3fa8-9185-41c2-941d-fff454ebf991

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115447/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.524.29238.20034.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/598360
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb477109f194850024798eb750fbf01dd36027a1afcb559a539d988f382de5ab/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 15:44:12 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ndxccprsscqajdzr23vb67qdxjwaj5bv7fvlgsttwmi6obn4wvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0944994ed1f7612afe248bdbbe57bacad3d3720c8f5f43d8cd5e17e7ae299ebb
AgentTesla
51049bcd9b6352ff1f14b82c05444cd797ba7babd403456a860f8c4bf957a594
AgentTesla
5e58e3818a1b7a5c46fab0a1400f7ccd88f088a782bb9c9f229f5e835e57aecb
AgentTesla
65b84cb59453db1032107a51ad2cf6c31c645f954ef0d43223ee2ff15fb5f2e6
AgentTesla
beeb5cb22555b396578142e0f399af295e0108e895ccce899d95cd7801c37511
AgentTesla
c306dbd2fece216188963e01435a8a4a1de94b33a9d340cf15699794b76f4571
AgentTesla
d5cfd27950d5701198fe9d8a88278cbad4d7bbd7c301ba67345756003f21afb1
AgentTesla
f17d68b3137442bece28a0a4f5598b9ca9af48294127679bf996b941f33e2fac
AgentTesla
f2a044715a0cac14a34248d1b13fc03be4c53fe325ec2fe5b984843fc6907e4f
AgentTesla
fdd29486217d3f13351e6245fee6a892fc4f9c2a9d51e19dca7c8c54c05da3d1
AgentTesla
+ 2'405 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210203-z5bb39ae66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4ad5e90b0a372722cb2c3c89c046a19138d6007b10ed362f2b4ac00eacf2e224
MD5 hash:
718a4e822e3d8831478628a6132b3d16
SHA1 hash:
6e18700a4c5b2ee3c837318d7c819e7423869e8a
Link:
https://www.unpac.me/results/de331a50-b3fb-409e-9a93-8f0a199dc72c/
SH256 hash:
3c25c49a8f2a1a89c42c33a2e58ffabb4f9fb745a7e828a37924f0153c30f095
MD5 hash:
4a2682a0c281093b868f1b0beb85353a
SHA1 hash:
1ab44fa00fef19d91723137eff879d98c5ff2fcb
Link:
https://www.unpac.me/results/de331a50-b3fb-409e-9a93-8f0a199dc72c/
SH256 hash:
6997d5fcca4dffa1a7d07817dae40fda2d01c0d59f7e78589252c2856d15733a
MD5 hash:
d493e614341cacf6b7033b38e890bb66
SHA1 hash:
0b3d08b92855fb95814c2788416656a61aec68e6
Link:
https://www.unpac.me/results/de331a50-b3fb-409e-9a93-8f0a199dc72c/
SH256 hash:
eb477109f194850024798eb750fbf01dd36027a1afcb559a539d988f382de5ab
MD5 hash:
cf00d12d20c4e9fc92bb7b586b538a51
SHA1 hash:
dedc17c0e559fab4c363777088aeebb2482e4f79
Link:
https://www.unpac.me/results/de331a50-b3fb-409e-9a93-8f0a199dc72c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb477109f194850024798eb750fbf01dd36027a1afcb559a539d988f382de5ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe eb477109f194850024798eb750fbf01dd36027a1afcb559a539d988f382de5ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/986133/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115447/

Comments