MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
SHA3-384 hash: 77bb40107265862c354f5bcf25fe29936aad9feb4fa2abe891f4fa9b0b4c7b93ae88fbfc68d8626fcd664e6f780dc866
SHA1 hash: e9448ba04b5f44eca194aa3460b7956323f1689a
MD5 hash: 31e4c96916589d14de42ed8efb8b78c8
humanhash: freddie-colorado-video-potato
File name:Acct# SOA.pdf________________________________________________________________________________.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'017'344 bytes
First seen:2023-10-25 07:56:26 UTC
Last seen:2023-10-25 07:56:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SMQaMFM0Mvxv9R0lM5iPUFZNdlvD7rU4JPJuRmpZ9xJRuc9V:SMjv9wUFZNXvDRxJKwZ9TRuG
Threatray 193 similar samples on MalwareBazaar
TLSH T12B258E7D1DF98227B978D6A2CFA0C432B161D6EFF5629E29D4D742818702A03B4C71BD
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Acct# SOA.pdf________________________________________________________________________________.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 07:59:12 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/8f476da4-8899-4da5-a9f6-ac893959719a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456187/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.769.15078.14822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6538ca505f371a3fc8612159/reports/752a858f-20cb-4e2e-8b4a-2b3783357503/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/556c9b01-d3cc-4c46-afe2-0c65e4cb18c8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331739
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331739 Sample: Acct#_SOA.pdf______________... Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 42 mail.expertsconsultgh.co 2->42 44 api4.ipify.org 2->44 46 api.ipify.org 2->46 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Antivirus detection for URL or domain 2->56 58 11 other signatures 2->58 8 Acct#_SOA.pdf________________________________________________________________________________.exe 7 2->8         started        12 goJkwceBCmh.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\goJkwceBCmh.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpB4D2.tmp, XML 8->40 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 RegSvcs.exe 15 2 8->14         started        18 RegSvcs.exe 8->18         started        20 powershell.exe 23 8->20         started        28 2 other processes 8->28 64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        26 RegSvcs.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.expertsconsultgh.co 173.254.28.237, 49743, 49745, 587 UNIFIEDLAYER-AS-1US United States 14->48 50 api4.ipify.org 173.231.16.77, 443, 49741, 49744 WEBNXUS United States 14->50 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->70 30 conhost.exe 20->30         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 32 conhost.exe 24->32         started        34 conhost.exe 28->34         started        36 conhost.exe 28->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-19 07:11:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5t3yagfjwzlilaivqj5vj76meann4w26vrabfulhlowag4dg3hxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b282c5279640f86929276ce1a52be1ec7e892701954362e5568f254101880b5
AgentTesla
6703706a8c532bece036e36fc650fc082b04c5b771e5c2458adf28fdc667ad97
AgentTesla
74a84823c35436e2a73f303aaf86be5d2c59f025c948c0044f948d613da91870
AgentTesla
7df6c33cbd852c467ef5a454451436e31a48d360a4959224e11a79ab4ad10f91
AgentTesla
d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1
AgentTesla
f1766635b1f5e7015ff13d8b6998366b45550d8be505f002b8e6192db3e503e7
AgentTesla
f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3
AgentTesla
+ 183 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231025-js9brsfb64/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
ea6847239b8454de1c89f034bfd564344b3314b3fe9748226019bf17230743ef
MD5 hash:
1b46663de1abc94bd92f81e5688ca068
SHA1 hash:
b957eb5b3edac64e9df7c8d14e2a121a094e01d4
Link:
https://www.unpac.me/results/9853303b-5334-41da-bfe3-2d833c03bbe4/
SH256 hash:
de59c3246c72163cfc5d3b5a8aec72ec6a585893a6c7d80fbff35238aabe6027
MD5 hash:
c3b2bcacf04baacd6daae4cf4896872c
SHA1 hash:
b7815d4d77ea49e493898d9ce06061e2c9c83feb
Link:
https://www.unpac.me/results/9853303b-5334-41da-bfe3-2d833c03bbe4/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/9853303b-5334-41da-bfe3-2d833c03bbe4/
SH256 hash:
d6b99ee78baf52df59de8afb766b7d19ff2ddbead4b6050a932447b870caa0b2
MD5 hash:
5040c63361e99f9754c4a80b0c50a818
SHA1 hash:
386f08fe4e40b147219ddca87236822c913cee74
Link:
https://www.unpac.me/results/9853303b-5334-41da-bfe3-2d833c03bbe4/
SH256 hash:
c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89
MD5 hash:
8560712e92050b126209625784bac522
SHA1 hash:
31ace913c80581487089a4ce88a03616cda905ed
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9853303b-5334-41da-bfe3-2d833c03bbe4/
Parent samples :
d9c02f3e9cc894fd55747ee2c449c1c40c2906d9fe1134994593eb0e81589a30
28657acf0a25a10979f1f7df41780b42fbeef920272067f9345f7a6a4788f889
3b0760dbe7dc9ac6a2cf5971ddde67c51e57bc973995cf641de226409b537817
930ac5c7da662a0118aba6fa78aeadf706ed8b5ab98e03b94dbd04991dfd2b7d
c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89
f8105fdfa774017614ec9aa30084a2a6645456c05704896fc972dd5d0c99ec76
ec57c2de3349840ec8ac00000c964ba5c68cda5b954f6ea4ca3ced7098257286
ddf7770047bab26cd3cc7752df568dda1b03789739ed404e3c5143bf0abba51f
9edefc168186e3a7ea6785affc672f91cbe4f592d4b84c75435866f16eddc82b
4f14ea5723dc55b7fc4a76f7bc7f5a834a16f531d8d47342b9a64a79678d417b
bb5557412213a1e283b548c6cd1da5c5848610756cd98352e6a77bb7ae952839
208319e004a6786ea50aacc67797171f4f4356f232bbf2e99c91cdbbe48c7624
5ab2ba45e2190d5a88041adb9a7be32bebe71a846832bba6efde116531d087c2
f4f24561c696372a62370c947fdecb96cfa6162711718f79a2c2e07836b69c80
4c2cbc5a9ebf7ef6269d1b0533da551b9e1bd419d0e8626db602ea0f77ae8f08
600d4ce1088af7290d2e4096db034af9eca3431a7942073dc485788a538a0747
b5169b6fa30cff601e0f3473f0a95006767553560753831f4e7f365758011433
ad2a1e6ea8fb128c76cafb20b9eae42b641ba5bf8932ac1867a8e3c51889192a
00ec18a18e5816731a60f69bcbe7c9296ae4084e5e390e8b545d475e1a37c7d9
a9bfb74e882c289a3fcbdc104411229292d0127efacffda9beb22206f58630aa
d65ba38b65d9ef5515d49a13be05cbdc0094c25a6ae4823935bc6f838de759a7
fcd2ed1088d64779e16e5134652d8360212e613b75c6cd5929216cabe27cfeeb
e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59
0b675485123aef301b8f33a5ebca2b1dfb12c7bffcdc7331dc16615c9d6b0495
e108137aa0469b5a1affc9d86a92e9e844a9540d9082ca5511b67de114310f88
ac04f04d01ae5428a8017be37d7d1352ad3212852c259d1a0e2f775969ecc36c
768ad01a4a10350c639160a41fcb2e08e108cfeddb993cb2535bc1804fdd1a3c
ac4ba0aff57a411df5eabcec6b1ab5cff2ff47dcf578fdce74be6cd3405b626c
a92454653447052d1a4d2342adeae2ae74a0499868a6fbd7834773b47b368cb7
c7834a1e61260b87156453c5281e2dc6f922d6ffdced1cec6ad2c5507680fa17
66d429595734624fc9610dff9b019f6b1687865f7197094a6102ced753453f9d
b6ae3f27029900241bf6ecd397a0686061db57ce48df21098bc27d365fc3139f
b0f78bdc2bfc668fc39e8735344d5c6ca8f78290132b70734c76dbf436c41c44
52c04c41fc17f8f05d233e2b9403fcebc3ccb8fb1b4e7d776a9b7db78d4fa980
c94c3741876b0ec763fa759b91c10d941c12626e84ef0d43c6c64cec7959f4f8
38468ab187452cb5bb9572bfe5b111449b8daa66678cd67396f8d5ccaaa382a4
e774f64c2078e0b89fa7a65590044e70212823f02b0300636deff0ccb5a36971
d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1
cb7de7bc680acafc54395cc399b1a38c440424738270c4bbd005b4a13229fc39
cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2
SH256 hash:
ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
MD5 hash:
31e4c96916589d14de42ed8efb8b78c8
SHA1 hash:
e9448ba04b5f44eca194aa3460b7956323f1689a
Link:
https://www.unpac.me/results/9853303b-5334-41da-bfe3-2d833c03bbe4/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ecf78018a9b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 30a3e0ed7ecbb303e80c8b5557f61735bd6ecc03ef1478bd09796f34aa3b890c

AgentTesla

Executable exe ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 30a3e0ed7ecbb303e80c8b5557f61735bd6ecc03ef1478bd09796f34aa3b890c
  
Dropped by
SHA256 64ef2bb97c7c7c0a878bb0583ae4cb5a43f9798c3b8ec3c97da5d9759b332103
Cape
Cape
https://www.capesandbox.com/analysis/456187/
  
Dropped by
MD5 5b2c722825ecaa8c79915d31df5da325
  
Dropped by
MD5 caa6d877743969971199d61b94d0352f

Comments