MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecd73a863c8c81e02a130423b88cac9de51a307f5d5efc3645ad6a99142bbba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecd73a863c8c81e02a130423b88cac9de51a307f5d5efc3645ad6a99142bbba5
SHA3-384 hash: f36f5f095f3e484269968022430ed80c01e0a735c24e124c6b91be4c59e36fcacb6318355a1148384df567aea7469042
SHA1 hash: bcc372e9b371bd402270c61f28f7e9e8e41078e7
MD5 hash: d7abc0880783e5e1c08f8a70a292473b
humanhash: green-bulldog-lima-edward
File name:Shipping Document .exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'106'432 bytes
First seen:2021-07-20 17:06:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ZCLjEywyJvDBbG1boObD3eFbp60IjepyO:0RtRG109Iepy
Threatray 7'105 similar samples on MalwareBazaar
TLSH T179359D282303AFCCFD7C4B755499620493F48203D356FEDA7DEA60ED5A26E628ED3116
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Document .exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 17:09:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f036ca6c-7fed-42dc-a344-50d132d58a7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172872/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d39f7e27-402d-4cbe-9bc7-e654e4a6dfeb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819116
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ecd73a863c8c81e02a130423b88cac9de51a307f5d5efc3645ad6a99142bbba5/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 09:51:10 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tltvbr4rsa6akqtaqr3rdfmtxsrumd7lvppynsfvvvjsfblxosq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a84e32cef475ad1e323bdaa15a1f5b2e690b6d4b18afe7b36a82f95ceb76ac3
AgentTesla
1625d7d0a842b5eaf19e17627f332bf36f95a689231159f7d8775a5354ad07b7
AgentTesla
22637e06185c1729dc491bf0d47763f8e549ae5a16223b04579240a0bbfa9f1f
AgentTesla
3855c5c96cc7967c87854b419d18eff2f6ca4f11858611d9cd668aedf898ea31
AgentTesla
460e0e4ca033ea035515fb07ace7a3bcd52cf26963ac09fbaf395e768fa6fef0
AgentTesla
476b0ad3f913696fbc5fe127aaf3dab21899844c8a4b4c1e2692b83d8381dd3b
AgentTesla
5005f7adee82137c52bc4d5693e56ce1c343cb3204706611cd81dea689f89247
AgentTesla
69a43a40f02660c2065fe3b76861dab28cc292301c180f1eafbf6c3f7b57afe5
AgentTesla
c3bfcfa385e249eb8555dbd0e557d7dcf78723fe833b978d87dc3177595cdb6d
AgentTesla
+ 7'095 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210720-pl9r1k3a2j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/43f9e9c1-88bf-4cf4-bda8-dd5ecd6869d2/
SH256 hash:
ecd73a863c8c81e02a130423b88cac9de51a307f5d5efc3645ad6a99142bbba5
MD5 hash:
d7abc0880783e5e1c08f8a70a292473b
SHA1 hash:
bcc372e9b371bd402270c61f28f7e9e8e41078e7
Link:
https://www.unpac.me/results/43f9e9c1-88bf-4cf4-bda8-dd5ecd6869d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecd73a863c8c81e02a130423b88cac9de51a307f5d5efc3645ad6a99142bbba5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ecd73a863c8c81e02a130423b88cac9de51a307f5d5efc3645ad6a99142bbba5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/172872/

Comments