MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed6849e36e1a1df98b7957c684b3aedeb08674f12070ba105098364ef2c9f96d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed6849e36e1a1df98b7957c684b3aedeb08674f12070ba105098364ef2c9f96d
SHA3-384 hash: 425283bcc5aa5682c90a168fe8566c524ca5701e80d224c65e2b2be8e3c487951448582dd02d8aa010ac07613bb437f5
SHA1 hash: a73f1995d138e72116b7b6baa3c00b5f385a9d9f
MD5 hash: d55b3f1d1eac53de725e8ea738a6cbf2
humanhash: salami-ceiling-floor-carbon
File name:d55b3f1d1eac53de725e8ea738a6cbf2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:575'488 bytes
First seen:2021-09-02 17:59:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:PbwlMhmqhuC9WUPJ3v1uJBXbJHQVgfpci5YNojNu+Y1nQtNY37:Pb51hFWUnkBlwVXia
Threatray 10'160 similar samples on MalwareBazaar
TLSH T1EFC4AE983660B59FC81BCD7AD9581C20AA60B47B530FE303A45326AD9E4E69FDF111F3
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d55b3f1d1eac53de725e8ea738a6cbf2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-02 18:09:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/301f2d81-adba-4c56-a944-e0542db3d470

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184877/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73653382-f94a-4a31-b54d-9b47ea555f7c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844242
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476673 Sample: 9l1RHqWmVB.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 5 other signatures 2->59 7 9l1RHqWmVB.exe 7 2->7         started        11 NLKBQYR.exe 5 2->11         started        13 NLKBQYR.exe 4 2->13         started        process3 file4 39 C:\Users\user\AppData\...\lLauzacvtTQYO.exe, PE32 7->39 dropped 41 C:\...\lLauzacvtTQYO.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\Local\...\tmpA7CA.tmp, XML 7->43 dropped 45 C:\Users\user\AppData\...\9l1RHqWmVB.exe.log, ASCII 7->45 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 15 9l1RHqWmVB.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 9l1RHqWmVB.exe 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 23 NLKBQYR.exe 2 11->23         started        25 schtasks.exe 1 11->25         started        27 schtasks.exe 13->27         started        29 NLKBQYR.exe 13->29         started        31 NLKBQYR.exe 13->31         started        signatures5 process6 file7 47 C:\Users\user\AppData\Roaming\...47LKBQYR.exe, PE32 15->47 dropped 49 C:\Users\user\...49LKBQYR.exe:Zone.Identifier, ASCII 15->49 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->51 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 27->37         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed6849e36e1a1df98b7957c684b3aedeb08674f12070ba105098364ef2c9f96d/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 17:59:08 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
AgentTesla
352dcb6d07e24df2a517db0ba594f02e46692e2fb5ff632fa9b44d6319cdf268
AgentTesla
41576a4ea5b8e1d0c9a1ca017e2a5265c1d7ae9e32f2327871e8f9acc6219fa3
AgentTesla
b4bd99f8e845eb8989697730c4d42b4a405972fa010415d74356efa46b9b745c
AgentTesla
b7d48d6756b3aed80b0ad5f814de208052b80e8b5b5937e33531af36c2c447f5
AgentTesla
b9a0f67098094ecfc0675a49e35a8a7b088c459c686b383a0ad0c35ea6975f6c
AgentTesla
cf9fba55a1a9e94e666cbca5b10daa9c4ac1c097f720c537ca2d6fa1d8fb0d17
AgentTesla
e758d7eed6c58b468d4e83295c69a68c013b42e6442e8791797777110f01fa02
AgentTesla
+ 10'150 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210902-wksehaecan/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c76121037408ebe9d5a3dd012887841ecb004a750d075e81192dfd95d3ab7034
MD5 hash:
8433a873f526a4469ebf24f08c807ee7
SHA1 hash:
58e2d3107f8f627015ba03ccbce8e681d7007cb8
Link:
https://www.unpac.me/results/b4f96ecb-f4ab-4b19-992b-2e351fb2dba5/
SH256 hash:
81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c
MD5 hash:
bae511742374b721136acaa03b0c1fa0
SHA1 hash:
215c50455b01a78ea173bbb034ddbe4b452ea734
Link:
https://www.unpac.me/results/b4f96ecb-f4ab-4b19-992b-2e351fb2dba5/
SH256 hash:
aaa3164c23640c4b8a0f5b79cd95c5f570333c0e3942f1759a7a61085d96f7c4
MD5 hash:
5a538b749b7cafb6a16416532e91efbb
SHA1 hash:
0573f1d3fe76c92519f91c6fda3f5d747419e47a
Link:
https://www.unpac.me/results/b4f96ecb-f4ab-4b19-992b-2e351fb2dba5/
SH256 hash:
ed6849e36e1a1df98b7957c684b3aedeb08674f12070ba105098364ef2c9f96d
MD5 hash:
d55b3f1d1eac53de725e8ea738a6cbf2
SHA1 hash:
a73f1995d138e72116b7b6baa3c00b5f385a9d9f
Link:
https://www.unpac.me/results/b4f96ecb-f4ab-4b19-992b-2e351fb2dba5/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ed6849e36e1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed6849e36e1a1df98b7957c684b3aedeb08674f12070ba105098364ef2c9f96d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ed6849e36e1a1df98b7957c684b3aedeb08674f12070ba105098364ef2c9f96d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1583770/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/184877/

Comments