MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df
SHA3-384 hash:	314125138dd03457d62be42b3cb4980a42c4064637cde5509fe2783a626825d6fa3feb529932ca569d9b8f17f2a2743b
SHA1 hash:	91d908fc81fd04a0ae456eb4e297efe240796a62
MD5 hash:	1b178a85e92195fb6ffb46e9ad54f9cc
humanhash:	idaho-ink-timing-vermont
File name:	Quoted items enclosed.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'147'392 bytes
First seen:	2020-11-12 06:39:54 UTC
Last seen:	2024-07-24 22:41:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9d66e9b03de783a9628fdd34310f06f2 (1 x AgentTesla)
ssdeep	12288:G8lL+2DoylNo6ssspUiDKJqzisC+he7MMhbsxU4UtcyTlVews:xllsylm62KMO6C+0SU9xVews
Threatray	2'743 similar samples on MalwareBazaar
TLSH	EB355922A1B1997EF0630AFB8CDB56D45D22BD102E2C69467BF23E7C8F396513419393
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.19686.10582.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Moving of the original file

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/531954

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df/

Threat name:

Win32.Trojan.LokibotCrypt

Status:

Malicious

First seen:

2020-11-12 00:39:55 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5rpz67ur3ewvm5vzfd3lrdz5pzbjxfeichvvza2y6nwp7zt2s7pq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88

AgentTesla

3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d

AgentTesla

3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa

AgentTesla

428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0

AgentTesla

6f175e5ca3aed259ec1288d9dbd2510bff46dd383f95c07d9495570699934445

AgentTesla

8b51b20b7962db09c0791b27e7ac10fd933026777ad967a7cfdd5c23c7ac065e

AgentTesla

8c3b25751ab09b3f9a6b6f9ce8271c13b5963565c2099077cfc9d30d6ff6abe7

AgentTesla

98b586cd2517a8296335f30e0e363ab72b047d10e50cec33f41ed93b6b492ca6

AgentTesla

ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b

AgentTesla

+ 2'733 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/201112-fv4e5jmxbj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

9234684c62d52d9c5deb07ba0c974b7fa34944ec0dbe4fc8cdc1088ce60fb361

MD5 hash:

fc9184fee11a200c5d9bb3d6cdf20b87

SHA1 hash:

fb45866bd40dd6ecc757895337c238a06f22d4c1

Link:

https://www.unpac.me/results/e9dadb97-7eb5-4551-b50a-9c9d552a51ef/

SH256 hash:

9528c2713534449d9693e4657988fc0b3e2bcab90a597bbb07eec91f9f3cb95f

MD5 hash:

6c9fab8bc4ab74a35015eb088938cf05

SHA1 hash:

a8b186801996d16e597e826aba74cb5c1e28ec06

Link:

https://www.unpac.me/results/e9dadb97-7eb5-4551-b50a-9c9d552a51ef/

SH256 hash:

ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df

MD5 hash:

1b178a85e92195fb6ffb46e9ad54f9cc

SHA1 hash:

91d908fc81fd04a0ae456eb4e297efe240796a62

Link:

https://www.unpac.me/results/e9dadb97-7eb5-4551-b50a-9c9d552a51ef/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.