MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee11b9c1d7556b48a0097f2a0698680a6a2ed5c0ca87d2756afded5827b228a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee11b9c1d7556b48a0097f2a0698680a6a2ed5c0ca87d2756afded5827b228a8
SHA3-384 hash: e4dcba86a5872f606a4436cee2f1b453b3393f37753e6398dcfc524435c162a3b01ef08420e36eb351080ae6809a1f25
SHA1 hash: 4a202ece0e039cafea573c7d5a59a42b67d5a717
MD5 hash: a9813d3cbcb1aa2160b8837f8e68bf5c
humanhash: chicken-ack-robin-earth
File name:QUOTATION.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'059'840 bytes
First seen:2022-03-22 13:12:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:Nohj4YUL1zNe1esCxCx0YIoBTQC8MyPG5R7cMQMSfko4X5W8GA/C:NoheNeyx7/oJnJyPG8MQZP448h
Threatray 16'102 similar samples on MalwareBazaar
TLSH T1CF352381B6B8C957C67D2F7D447517058270D5AAAE13E78FAC8042E9128F3CB9723787
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/254358/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FSG.genEldorado.21813.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc7426f5-036c-4da2-bf35-7cf2755315e0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961848
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee11b9c1d7556b48a0097f2a0698680a6a2ed5c0ca87d2756afded5827b228a8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 16:16:32 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5yi3tqoxkvvuriajp4vangdibjvc5voazkd5e5lk7xwvqj5sfcua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0498c1e68e0fb59171e05bee6afdc6e4697f28fec80ba0e9c70d4b5a7a6ad198
AgentTesla
2d85d471ad1d32fccd8a586d9c7a960d0a77812b5e551fcdd16fc8bf1f15924a
AgentTesla
3d9b6f001249131fa6bee7bf7f051ef784ef5ec22bcd8cc4c5b45f6de2c67ec9
AgentTesla
bc297a5178f17d2b1f7c69649155df74086c99486c2caa5a1117fd45f52f41fa
AgentTesla
c3624982c4e27761f6d132bb33b9fd3618642fdc0cc5949a6207ceef392b3d8a
AgentTesla
d90b203b874a7965f1695c39812eac80201b531d2e5b108b518919d0331a6b08
AgentTesla
ddd2c3304f4423f4348cf0d858ecba70eaaba5b652969d5f582a534ccfb55093
AgentTesla
e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6
AgentTesla
e57cd18f57da68b90790071673ac21fa6bfbb9b2b54451fbe4276fc506536719
AgentTesla
+ 16'092 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220322-qf4dbafde6/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4f38783d3ebe8c8eddb484334847ffe25df7008ad65ce2a01fa5417fcfbee9c4
MD5 hash:
34929e780a88e91e7955958d25b85ceb
SHA1 hash:
3e823e3c43cf8cc477afe14181e397aecffb304c
Link:
https://www.unpac.me/results/95e58244-5a70-4d85-a70e-86464f719209/
SH256 hash:
ce3d3aed461794d7ca835771ca09455a66f184a75861925bdb627c31e0a515f9
MD5 hash:
633ff5b0a7cf14e635ddc3cda582e34d
SHA1 hash:
1ead2387fcc6c53b6a88495db413868d12bf4800
Link:
https://www.unpac.me/results/95e58244-5a70-4d85-a70e-86464f719209/
SH256 hash:
78774c3afa3dfa8c57d25c485748bbc3c0ed2394cee84d9257fc72c2898f84f5
MD5 hash:
702dbc937d0fa6b68f772791371a3cc1
SHA1 hash:
83fbcf5d9a650e17e715d0df5e02d149397a5fd7
Link:
https://www.unpac.me/results/95e58244-5a70-4d85-a70e-86464f719209/
SH256 hash:
301642ff8826ac264d1a78b36237b5ece99cb31a2d9cecd04aafb3449679d94b
MD5 hash:
f08268ddb5c1236b947fe2864860fc98
SHA1 hash:
772410110fee00fc53939b94c2f64069fa824cf4
Link:
https://www.unpac.me/results/95e58244-5a70-4d85-a70e-86464f719209/
SH256 hash:
ee11b9c1d7556b48a0097f2a0698680a6a2ed5c0ca87d2756afded5827b228a8
MD5 hash:
a9813d3cbcb1aa2160b8837f8e68bf5c
SHA1 hash:
4a202ece0e039cafea573c7d5a59a42b67d5a717
Link:
https://www.unpac.me/results/95e58244-5a70-4d85-a70e-86464f719209/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee11b9c1d7556b48a0097f2a0698680a6a2ed5c0ca87d2756afded5827b228a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ee11b9c1d7556b48a0097f2a0698680a6a2ed5c0ca87d2756afded5827b228a8

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/254358/

Comments