MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ede3beb6eb831c6ff01cf267177ff8e71ca81b432175dc4d868af9e6172fb1ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ede3beb6eb831c6ff01cf267177ff8e71ca81b432175dc4d868af9e6172fb1ea
SHA3-384 hash: 12377a9186484b6f3318bb1fa1ef0a173360958b287a42b6b723e27c543730d4b7f2eb3fe5bbcaacc079ad10cb70e86e
SHA1 hash: 21f46e3a99eee9039921b3d602c36fd7146189c3
MD5 hash: 9afb9830e80c3cc85bc5f89ea4118444
humanhash: butter-autumn-cold-kentucky
File name:RFQ_99705546,99805546_Mark Cansick & Company.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:435'200 bytes
First seen:2021-10-04 08:16:52 UTC
Last seen:2021-10-04 14:44:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:4ESo60y0AnBVqYd9tZCR85BxUfdZIRy/Y5qH:4ESv0yLHxB4RaOnIgYsH
Threatray 10'623 similar samples on MalwareBazaar
TLSH T1EC94016823A79344CD7983F53824D6921B7A6436245CC7386FD8A4FC3EB3BB44AE0193
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_99705546,99805546_Mark Cansick & Company.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 08:19:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/68b7006d-d994-4214-b24f-4f78ace90522

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194465/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c2feee3d213d202b77466/reports/4b57f816-6400-4708-99f3-7e4fc820e61b/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f19365c9-478a-4cd5-ae4d-cf956be52029
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863714
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Installs a global keyboard hook
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496142 Sample: RFQ_99705546,99805546_Mark ... Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 32 smtp.regalbelloit.com 2->32 34 us2.smtp.mailhostbox.com 2->34 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 11 other signatures 2->46 8 RFQ_99705546,99805546_Mark Cansick & Company.exe 7 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Roaming\uFuRcpzl.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\tmpBD52.tmp, XML 8->28 dropped 30 RFQ_99705546,99805...k & Company.exe.log, ASCII 8->30 dropped 48 Adds a directory exclusion to Windows Defender 8->48 12 RFQ_99705546,99805546_Mark Cansick & Company.exe 6 8->12         started        16 powershell.exe 9 8->16         started        18 schtasks.exe 1 8->18         started        20 2 other processes 8->20 signatures6 process7 dnsIp8 36 smtp.regalbelloit.com 12->36 38 us2.smtp.mailhostbox.com 208.91.199.223, 49856, 49857, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->38 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Moves itself to temp directory 12->52 54 Tries to steal Mail credentials (via file access) 12->54 56 3 other signatures 12->56 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ede3beb6eb831c6ff01cf267177ff8e71ca81b432175dc4d868af9e6172fb1ea/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 08:17:32 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xr35nxlqmog74a46jtro77y44okqg2def25ytmgrl46mfzpwhva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1eb70c33da7bd551957076bfeb9841fb48904bb9e75c205c3223248643ca05f7
AgentTesla
57b2a44351febaa40160b21423b5f084f15802290e82910cd3d94331eb3e3791
AgentTesla
603176e689510a10a66678429d44be65ab85ac5b5b0db2fd284f35ea5009f840
AgentTesla
64e29f703a7f82f83191dc2f20ace8a7e8ca2e44794e8ab3c0a323b475b4ca2b
AgentTesla
7c49ac4366eb07c5e5a146356908ba9e2e7e1bb2630422821f93530f0e2ec2ed
AgentTesla
7c9db09b727fcd8d7cad535a77911b8b9fc0c2508366c9f7a90e1f8a8c6ad1dc
AgentTesla
89e61f4aa6bbd3fea013926a88b93065d928ba5be51343e8dd162356d922f2b1
AgentTesla
b8aa0bc71ba600e39afa9e612cff8216020c9d276df9655c6d9d807ef3b18bc9
AgentTesla
d8c285b8cbdafee6b30293d64b2ca92f9fb086247cb906a84c2ba13c364132ca
AgentTesla
dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84
AgentTesla
+ 10'613 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211004-j6p52sgaa4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
6082620129d9bbd582d44cce5dbcb7678b28c16f001dbed1f8308606f43a3abd
MD5 hash:
3112db3cef70d9f884abbe3347347b4a
SHA1 hash:
9d644dae5518d8902f992992e5195e1bdbe47e85
Link:
https://www.unpac.me/results/5b0ab1b3-4f15-4994-8f66-6c501cb36005/
SH256 hash:
cc0da4fb39c56b431528eb4877c6f3e0ab43502c3fea59f82f225272b375d1f8
MD5 hash:
79a2a1bd4fc41604aa61606658034d94
SHA1 hash:
8567a8890274a96181f081b221d8d55421266f9e
Link:
https://www.unpac.me/results/5b0ab1b3-4f15-4994-8f66-6c501cb36005/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/5b0ab1b3-4f15-4994-8f66-6c501cb36005/
SH256 hash:
ede3beb6eb831c6ff01cf267177ff8e71ca81b432175dc4d868af9e6172fb1ea
MD5 hash:
9afb9830e80c3cc85bc5f89ea4118444
SHA1 hash:
21f46e3a99eee9039921b3d602c36fd7146189c3
Link:
https://www.unpac.me/results/5b0ab1b3-4f15-4994-8f66-6c501cb36005/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ede3beb6eb83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ede3beb6eb831c6ff01cf267177ff8e71ca81b432175dc4d868af9e6172fb1ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ede3beb6eb831c6ff01cf267177ff8e71ca81b432175dc4d868af9e6172fb1ea

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194465/

Comments