MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66
SHA3-384 hash: a3800357b0cea3af80b3fad469b5db163d34007400fa52a5781d993ac2767e98253529d1cd0daa3288bdb3d50bf67084
SHA1 hash: 15f8bcac4aa7273f362ad1f474bf818ee5179b44
MD5 hash: f71317984e36770287b066803de0ab00
humanhash: quebec-salami-one-diet
File name:Top Urgent_New_Order_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:933'376 bytes
First seen:2021-01-25 14:33:02 UTC
Last seen:2021-01-25 17:23:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:bTDgabSe6u0TviWkTo/RWkd2waihHak9fJD1dSxgbVXRYsBmQnqyxMOr5WVtLV:0pbmTQrd2binJXU6RpmQnESWVZ
Threatray 3 similar samples on MalwareBazaar
TLSH E315351031E4CA5FC57B42B50660DD9C62615EDEFD41923819BE3A9F292FE8E47C0AB3
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Top Urgent_New_Order_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 14:53:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a6936617-3b87-4897-ad20-252db7fb55a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113719/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.30932.12147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/589487
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 05:44:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ri6kdv6uoig56d4quwjlmsw4okivg5xrgmbvhor7ztt26dghzta._file
Verdict:
unknown
Similar samples:
1fbdb4d5cc70b77728853bf7dd9c53b8f2cd49055503be07ea3a13e7459757c7
AgentTesla
606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525
AgentTesla
cc5f2535e7084ab756833bdabffa3067020fce7e285409089d14648ef3e5b6cb
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210125-ept2tp28pe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
3d97df1bbf3fea26b92c4adc5c550d84b938f0673758bb5e3680615ade822a99
MD5 hash:
8b2344ecc7444136e8e8d56c2deb5052
SHA1 hash:
c18e0063ae91db4ca6500dd6f2de129de2c6cb4b
Link:
https://www.unpac.me/results/3202fcc1-00b8-4763-a7ae-7f5c96459c91/
SH256 hash:
c3f42ff8715cb7bb62365d1e3210b5dbd58b052ae15b261ee95836dd353c211e
MD5 hash:
3dd07776fe5a1b94b62a1aa0990562b2
SHA1 hash:
b73d40424c258e7984795f2d776473d360823481
Link:
https://www.unpac.me/results/3202fcc1-00b8-4763-a7ae-7f5c96459c91/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/3202fcc1-00b8-4763-a7ae-7f5c96459c91/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66
MD5 hash:
f71317984e36770287b066803de0ab00
SHA1 hash:
15f8bcac4aa7273f362ad1f474bf818ee5179b44
Link:
https://www.unpac.me/results/3202fcc1-00b8-4763-a7ae-7f5c96459c91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/113719/

Comments