MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245
SHA3-384 hash: b0e35e6f7c1e985323ee7ab911da42b665340ad5c1d6b6638ba1d1fb5a7c58d36ec69077abd3fc515c2748469d383204
SHA1 hash: f4942bafff2a7638f5aa7b7ddae3ba9bf6ea5ff6
MD5 hash: 60f31c64785034095f8a62e89da663b8
humanhash: tennessee-arkansas-pizza-single
File name:PO-513211.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'013'248 bytes
First seen:2023-12-01 10:24:04 UTC
Last seen:2023-12-01 12:33:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:fKJWY4+KuW5qHbhO3U086VbNm46jYF/3xxvOx:fKJW025qHbhOE0D5CkF/3e
Threatray 3'309 similar samples on MalwareBazaar
TLSH T1C02512A1731ACB95C92F87F614A8500043B77D1B94A4E10C6DD53AEFB73231269D2EAB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PO-513211.exe
Verdict:
Malicious activity
Analysis date:
2023-12-01 10:27:11 UTC
Tags:
rat remcos remote stealer
Link:
https://app.any.run/tasks/46e1b601-cdfb-4f03-bd9d-8644644e1d4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/461681/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdb2884c-083b-4f54-b8dd-ed43d4b4537e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1351311
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 05:01:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tm2kxu6usg2fdfno53jyr52ja3ejcxc54vyn2d3l4qpbow7cjcq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
1ec6d9467259d4524dd9bb3ff8d5d6befe7ffb90f64d91418880c5ae5071fd6d
AgentTesla
25ad65700d96ab435cbe3070cc5189ade55537add318b907b57fc27b6dcf7110
AgentTesla
42a8ee6a8e2f9efccdac2959f5672d3512b63432baa50760de9f18d2ba912852
AgentTesla
ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245
AgentTesla
f7b30dc1f94300574b8732927571cb9c63c8e986849f4079a8ceda881acf8c26
AgentTesla
+ 3'299 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host-g collection rat spyware stealer
Link:
https://tria.ge/reports/231201-mfes6shb4s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
198.27.121.194:2024
Unpacked files
SH256 hash:
3e4574c67cca54874c11234eecc52428de9c8539a8b882232ade38ee0cadf545
MD5 hash:
e4d9d2cbb2d53ed4dd3a0d4a760fbbf9
SHA1 hash:
3af74a2265e9504174d6397b28d40d9e0dfb1b9b
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/b6a4aa31-464c-4891-9509-8cc6f67b097b/
Parent samples :
ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245
1c6359877d20878968af7beddced849db2e38e1ca64e6e5c6c6ddff6801aad97
SH256 hash:
7121df2346f78b6acd317743dcd3b519a419db3cab470ef1ccda27be64b91d56
MD5 hash:
344559728ff4010303056f7e5fc780f2
SHA1 hash:
dd44c459e48d26baefc85b8de862bc1ec8dbc69c
Link:
https://www.unpac.me/results/b6a4aa31-464c-4891-9509-8cc6f67b097b/
SH256 hash:
bc99dcc182eaf17394c34611c1aef4ad45c3079ae116c19caa17620d64c39f7c
MD5 hash:
84fe0cc42b4f30e7b6f58c92f9ad3d56
SHA1 hash:
d753cc7cc8e2927f9cde57fb67b5bceebd2f5fd2
Link:
https://www.unpac.me/results/b6a4aa31-464c-4891-9509-8cc6f67b097b/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/b6a4aa31-464c-4891-9509-8cc6f67b097b/
SH256 hash:
0e8a5f6bd3e915b9d2fae9428730dc5017348d23b622bccbb1971e352052734b
MD5 hash:
56feb04fdc8b0453c62267ac204ed555
SHA1 hash:
7d41fb41cac90bea85cb6691a5945568115cbcbf
Link:
https://www.unpac.me/results/b6a4aa31-464c-4891-9509-8cc6f67b097b/
SH256 hash:
ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245
MD5 hash:
60f31c64785034095f8a62e89da663b8
SHA1 hash:
f4942bafff2a7638f5aa7b7ddae3ba9bf6ea5ff6
Link:
https://www.unpac.me/results/b6a4aa31-464c-4891-9509-8cc6f67b097b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ecd9a55e9ea4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ecd9a55e9ea48da28cad77769c47ba4836448ae2ef2b86e87b5f20f0badf1245

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/461681/

Comments