MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4
SHA3-384 hash: 347f0fb6e4e31b8df6397aff5ceef0c37e555e2274eae2d7ca05253bd17718d51fd9e98acbf8a952928756fe24d953ba
SHA1 hash: 9a4d1ae410c067a66261bfa590dbf56d25083d94
MD5 hash: e1df690a980825ac23648d38ec63b0d3
humanhash: stairway-salami-carolina-connecticut
File name:SecuriteInfo.com.Generic.mg.e1df690a980825ac.25424
Download: download sample
Signature AgentTesla
Create hunting rule
File size:975'872 bytes
First seen:2020-11-14 13:40:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:fya4NHFDLQRSVzMu62V6xdKySW6bExH98eqY2MC1pNV0vpvQc:arNpV4N4UUIB2M4zCvJt
Threatray 10'933 similar samples on MalwareBazaar
TLSH 24256B067B0497A4D49435774AE5FB8173A6F5C31AE08B1D230FAA3899932C61F0EBDD
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.e1df690a980825ac.25424.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
93 / 100
Link:
https://www.joesandbox.com/analysis/534859
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316529 Sample: SecuriteInfo.com.Generic.mg... Startdate: 14/11/2020 Architecture: WINDOWS Score: 93 71 Found malware configuration 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected AgentTesla 2->75 77 2 other signatures 2->77 9 SecuriteInfo.com.Generic.mg.e1df690a980825ac.exe 4 2->9         started        13 stubus.exe 2 2->13         started        15 ljYBX.exe 4 2->15         started        17 ljYBX.exe 2->17         started        process3 file4 55 SecuriteInfo.com.G...90a980825ac.exe.log, ASCII 9->55 dropped 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->95 19 cmd.exe 1 9->19         started        21 cmd.exe 2 9->21         started        97 Writes to foreign memory regions 13->97 99 Allocates memory in foreign processes 13->99 101 Injects a PE file into a foreign processes 13->101 24 InstallUtil.exe 13->24         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        signatures5 process6 dnsIp7 32 stubus.exe 4 19->32         started        35 conhost.exe 19->35         started        51 C:\Users\user\AppData\Roaming\stubus.exe, PE32 21->51 dropped 37 conhost.exe 21->37         started        59 192.168.2.1 unknown unknown 24->59 61 smtp.gmail.com 24->61 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->79 81 Tries to steal Mail credentials (via file access) 24->81 83 Tries to harvest and steal ftp login credentials 24->83 85 3 other signatures 24->85 file8 signatures9 process10 signatures11 63 Multi AV Scanner detection for dropped file 32->63 65 Writes to foreign memory regions 32->65 67 Allocates memory in foreign processes 32->67 69 2 other signatures 32->69 39 InstallUtil.exe 2 9 32->39         started        44 cmd.exe 1 32->44         started        process12 dnsIp13 57 smtp.gmail.com 173.194.69.108, 49712, 49718, 49743 GOOGLEUS United States 39->57 53 C:\Users\user\AppData\Roaming\...\ljYBX.exe, PE32 39->53 dropped 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->87 89 Tries to steal Mail credentials (via file access) 39->89 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 39->91 93 3 other signatures 39->93 46 reg.exe 1 1 44->46         started        49 conhost.exe 44->49         started        file14 signatures15 process16 signatures17 103 Creates multiple autostart registry keys 46->103
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4/
Threat name:
ByteCode-MSIL.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-11-08 13:05:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5y2xz7pjd6g7fjug7anexdlszhpsvviwiwabvsfheavvxt7vcx2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
AgentTesla
46cf0d598ead968845e7d17cfba1b30eccb7a66fa639763ba99335b3ce4d8f65
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
5b2d98988762dc2de5918566081c7d43d9dacb82cede10c6af1cbb50ab0955a9
AgentTesla
6a2cc7556c8fb10ce705ad1b1fe835b359baed8c84071683528c6fd6a8dc0332
AgentTesla
76aae91b7f532cb38c1848495595dbd02d6ded35faae729a5bfc65c69d17eef8
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
9c72f4a1b6edb5068a4dafba53d81748bbabacf1c62525e4906e118a9427a157
AgentTesla
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
AgentTesla
dec081544348d7000fcbd9ee30c3854733dc8b56f808f5dae28a21050fce03a2
AgentTesla
+ 10'923 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201114-2wt5nxrkxx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4511d23fd8256f424ccb13a8e6cecea692e629c5c2f00b47f9a5a1469dbe461d
MD5 hash:
4c610ab0b16daa66e26d90dab6517245
SHA1 hash:
1197a1c0623ecd73697e63b086ed0bc0206862e0
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/5db10b00-6fe6-4826-9e85-fbaacb6d903a/
Parent samples :
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990
84b555de54d251346360a06f9537948fcbc653c81b2c733c02791bc64c6c4b9f
ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/5db10b00-6fe6-4826-9e85-fbaacb6d903a/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/5db10b00-6fe6-4826-9e85-fbaacb6d903a/
SH256 hash:
ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4
MD5 hash:
e1df690a980825ac23648d38ec63b0d3
SHA1 hash:
9a4d1ae410c067a66261bfa590dbf56d25083d94
Link:
https://www.unpac.me/results/5db10b00-6fe6-4826-9e85-fbaacb6d903a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments