MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed0e31210d186d28b6ebead24d3c9721807d8cbc3bad6c2da8f8f7a4f53bc238. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed0e31210d186d28b6ebead24d3c9721807d8cbc3bad6c2da8f8f7a4f53bc238
SHA3-384 hash: 5bfe5847052cd4da4c6237863828de6273ba9dfa42146d8f20486a1c9eb541f3e9fc0f1a34593cd450d3e6d70d571c86
SHA1 hash: 86b071b7d25e4e436fa999416eae779d956677f9
MD5 hash: c3a7d3c3b8e41cbe97faa1a373b4df58
humanhash: oklahoma-ohio-bravo-earth
File name:Quotation9809.Scan.pdf....exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:727'552 bytes
First seen:2020-10-21 11:10:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oUMrWlHFFh/eW1eQqcL9hJnrnWuNGm21hYodrzSdBxhhnJLe+mYPIrXmiu43R94:l4WlnhfeQvnr2PrzSd3hjs
Threatray 697 similar samples on MalwareBazaar
TLSH 18F4F1593A50B1CEC8CAE834DE84DC7399612D7613DB4A5254E76CEBBC8E74BCE201B1
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.bosut.mk:26

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74112/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505744
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed0e31210d186d28b6ebead24d3c9721807d8cbc3bad6c2da8f8f7a4f53bc238/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 10:45:41 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5uhdciindbwsrnxl5lje2pexegah3df4howwylni7d32j5j3yi4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527
AgentTesla
0d708c83b36fe0c753363337dcd0a940e8e9ce2927a9847e56deed6b98fa5b5d
AgentTesla
1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e
AgentTesla
7f717f3d6242070c4f59575f510fa366e5cbd6c17ad484c0735fca89e365a351
AgentTesla
95b6a02e3bfccd61edaa3f291e2daaed0ee8852a80f26ac7ecb6a1ed7c416845
AgentTesla
97a4e627e5182df35863f15f757d3de6f98fb7f3d94664a751df46a9d0b1eb8a
AgentTesla
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
AgentTesla
c5a6b816ef66b1c222ca59df4e8e75eed744b3d758430eef345c78e9417aa138
AgentTesla
c86b7a87ec994002a7f8f759ce37633e2ebfce32c727abf26b1c8cd4b32f0c1a
AgentTesla
cc6c48150c475d3312f01a96a5301e2263cc4c821e2d6a48b4bb2bdb07edb968
AgentTesla
+ 687 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201021-1mvdyreqdn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
ed0e31210d186d28b6ebead24d3c9721807d8cbc3bad6c2da8f8f7a4f53bc238
MD5 hash:
c3a7d3c3b8e41cbe97faa1a373b4df58
SHA1 hash:
86b071b7d25e4e436fa999416eae779d956677f9
Link:
https://www.unpac.me/results/800ca438-9292-49d3-98b1-43615124139a/
SH256 hash:
640e7b739a2ddc0da8e1e0ebf7216ea1d09e3f039adfa095df3e37e63e833f8b
MD5 hash:
ac391a5d9783704927c0e80438c6ba6a
SHA1 hash:
5d8aa79e049920fcc6821fdf0366efd7628fe3cf
Link:
https://www.unpac.me/results/800ca438-9292-49d3-98b1-43615124139a/
SH256 hash:
e7649236134abf9f0a89f90630cb457fed23551d54b298259a6925f6a638d06b
MD5 hash:
128e40ac3ea4e9a88c69c2a84d1a018e
SHA1 hash:
892d5e2aa3ea437a1f30dbf8a21d850cf3842925
Link:
https://www.unpac.me/results/800ca438-9292-49d3-98b1-43615124139a/
SH256 hash:
bda4e57a10cd7a01ef28d8318f6568c8fc038eb43f658a11318f72b9763e19e5
MD5 hash:
0fecbc11e505c38ab6aefab8593da760
SHA1 hash:
ac8c8107f515d2a6f57d6a4d29b8f944254e8d72
Link:
https://www.unpac.me/results/800ca438-9292-49d3-98b1-43615124139a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ed0e31210d186d28b6ebead24d3c9721807d8cbc3bad6c2da8f8f7a4f53bc238

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74112/

Comments