MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec70a01a2d805ba0986541826f7dc64666d59f3f6abbd25fb67d8f174a03d616. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	ec70a01a2d805ba0986541826f7dc64666d59f3f6abbd25fb67d8f174a03d616
SHA3-384 hash:	d769cddb46405e5b24e46da4fb9aa0987b4c4b652be08ccd045433b07f115f78c373b120a8691d79bc3c56e3ae81a08e
SHA1 hash:	793bb87d4ada77885602908ce5d007ffdd497105
MD5 hash:	a17f42580a16dbd65a827bff1785762f
humanhash:	kentucky-paris-freddie-ten
File name:	SecuriteInfo.com.Trojan.MSIL.FormBook.EUO.MTB.24502.9536
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	617'984 bytes
First seen:	2022-06-09 18:35:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:k9qL466WdqQpTEQWQbEQAtJtbXQ23Z6GCUT9iM+kaPhSL98:kd66Ep0Qg53bZIQBx+ka5SL98
Threatray	18'830 similar samples on MalwareBazaar
TLSH	T1CFD4237033F94B53EB6287BC3DA503418739EA0A6D7CE70E185540EE4D93BC6DA169A3
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.MSIL.FormBook.EUO.MTB.24502.9536

Verdict:

Malicious activity

Analysis date:

2022-06-09 18:41:32 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/35b024cf-f93c-488e-a4bf-594875c14b23

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/278456/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.FormBook.EUO.MTB.24502.9536.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a23d719bbf30d03f466f86/reports/d4452625-3335-4241-b6b2-dcfab20ba17d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dbeca4fd-6be5-4d8e-874c-5ffb3e297593

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010303

Signature

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec70a01a2d805ba0986541826f7dc64666d59f3f6abbd25fb67d8f174a03d616/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-09 18:36:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5rykagrnqbn2bgdfigbg67ogiztnlhz7nk55ex5wpwhrosqd2yla._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

70cdb9db8282adb1bb6180798f3b35f3b69baf831fbe03e2ae38166b36a25c83

AgentTesla

9ae5abd5ea0bc9742adcf468c68d5149af2a579ded5d4b85097df4d191c9f62d

AgentTesla

c2cc26cf1ca74f4fc3417d33bf12e4715e9b031d20b7208664bdec373bd528c4

AgentTesla

d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a

AgentTesla

defbeba113680db4e014a2b34be77a64529d1e0d5fb837e732eec92b842d364d

AgentTesla

ef85f9069eb8f860d143a599a3fe891ddff4341b3f6da959c69e6b6b22d3f53e

AgentTesla

+ 18'820 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220609-w8wrtsfce2/

Behaviour

outlook_win_path

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

a55f675bd88953dc55edd1298b0e89c87c360038c87dad93b9a1449ff17427d7

MD5 hash:

a4d10e0834e836a25cbb37012277d9f6

SHA1 hash:

4f70a01cdccf9abd9bea9158bec5bf6eac75fab2

Link:

https://www.unpac.me/results/b70715cb-63a2-4499-a38f-84a695891ae5/

SH256 hash:

ed1b299750fde879d664c03ba214ac85016f4fc70c524791ae2a7d344b52f1e9

MD5 hash:

7a053e70b3fa25f68f79cb8eeb992d7f

SHA1 hash:

47d74f5919bacf9034b4a92e3389e0af05bac56f

Link:

https://www.unpac.me/results/b70715cb-63a2-4499-a38f-84a695891ae5/

SH256 hash:

ca40e8e69e4f1894cd1d48363f03808693e589d951920ce11feb5f7320140c8b

MD5 hash:

1698c4339fd5d3ea90539f3eb52e4c2b

SHA1 hash:

278c12bffbb04e7341b6514560bd0a358b7d3029

Link:

https://www.unpac.me/results/b70715cb-63a2-4499-a38f-84a695891ae5/

SH256 hash:

59a71f7a4f860c5812352d221cd85b945ef35a0aa9056e1d8ef11c4303633c58

MD5 hash:

e124c039d44553b82d59d3bfd50348f6

SHA1 hash:

1e074bf3f989ff35467e3460e619e7b2fd6ff37b

Link:

https://www.unpac.me/results/b70715cb-63a2-4499-a38f-84a695891ae5/

SH256 hash:

ec70a01a2d805ba0986541826f7dc64666d59f3f6abbd25fb67d8f174a03d616

MD5 hash:

a17f42580a16dbd65a827bff1785762f

SHA1 hash:

793bb87d4ada77885602908ce5d007ffdd497105

Link:

https://www.unpac.me/results/b70715cb-63a2-4499-a38f-84a695891ae5/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec70a01a2d80/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec70a01a2d805ba0986541826f7dc64666d59f3f6abbd25fb67d8f174a03d616

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/278456/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample