MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecb8d7ee504c1e07692d7815797c34bea6af69478cc459cef981d3b0bb804c09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	ecb8d7ee504c1e07692d7815797c34bea6af69478cc459cef981d3b0bb804c09
SHA3-384 hash:	8fd6fbce98d63f71303df56771d487f9a905344e5209fcd2bb9aa28d185c5aa9582d04a0ceb546510687fb307c1a195d
SHA1 hash:	4520ca7e1b5359b0d41b81d7144198580409ab68
MD5 hash:	93db68f90357949dabd100f786bfea55
humanhash:	item-oranges-wisconsin-ink
File name:	SecuriteInfo.com.Artemis93DB68F90357.31298
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	801'792 bytes
First seen:	2020-08-19 12:45:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:Dy4yrZUXZVCJVyXeKXCMq7AG5lRNTE5rDQ/QENIe66eftIk939ocBI65s/:FDXnuVYe9TEF8QENgPtIkJ9o2
Threatray	9'800 similar samples on MalwareBazaar
TLSH	0105022575C1BA8EC9164F364812AD40E7F1F6275B0BE34B3C9711EC9E5DA478A233B2
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/48512/

Detection(s):

SecuriteInfo.com.Artemis93DB68F90357.31298.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/437987

Signature

Binary contains a suspicious time stamp

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ecb8d7ee504c1e07692d7815797c34bea6af69478cc459cef981d3b0bb804c09/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-19 09:29:43 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5s4np3sqjqpao2jnpakxs7bux2tk62khrtcfttxzqhj3bo4ajqeq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

510512320d54cf1dc953b01181d979bb25e60e0dc2895a38e0d0f303a1cc9253

AgentTesla

623d62b1bd16412847e69e3dc435f1d6e46d2b586800cbd0478cc5eb8ea04eee

AgentTesla

62b507f0abf9387b2f4fd76e3e303a72bd6cab87e948d0c02b09b37efa0e7d48

AgentTesla

65dc5eae6aba498e459af4ab782d21cf3708141b3886226a9e31c407b6d9aa8f

AgentTesla

9911a28ce25c425a9b627b714633795115f93e484af282c5d6e7916bc22c4eb4

AgentTesla

9ffb458e6d120f6d42906c102ce49ecefbe4a937d6b605a4d3a1b3a7dc15e627

AgentTesla

af27bd7180ad756460e32f2ae56db7cbdc8a79e73a36b261a96f803e5b051fd5

AgentTesla

bf16393640303afe03a092d605a39a69d05158bce15d690128ef2b2103dfa5c7

AgentTesla

d3168e892cc0eac2e010fa380fd64aae8c55acddb06344b543a6fb0cc05e8dd3

AgentTesla

+ 9'790 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200819-ng6k948p9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ecb8d7ee504c1e07692d7815797c34bea6af69478cc459cef981d3b0bb804c09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/48512/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample