MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee49f3d4c142ced06e9ce1d55cbccef59af45da7b21c123ddaf51c997b55f83e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee49f3d4c142ced06e9ce1d55cbccef59af45da7b21c123ddaf51c997b55f83e
SHA3-384 hash: c5c421d85c286aa9f57b4c60970b4326df3bb1da8103bf9117d3b6d65cbc8d2975a97866d8a819876d0c95b77b4e316f
SHA1 hash: bb4aeed0b2b58997eeb86b110101105c64091e48
MD5 hash: 732943a498bd8cab11530cf027a17ee1
humanhash: butter-butter-beryllium-fanta
File name:Payment Slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:810'496 bytes
First seen:2022-05-28 02:18:33 UTC
Last seen:2022-05-28 02:29:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:H4iww5Fxg/cChndObJjmtz0wK5Y4H6Bp4dVGVRzN7z1Dz4:NwOF+c2dMjQ0wcYQ6BuHs/
Threatray 17'628 similar samples on MalwareBazaar
TLSH T15905E06D72668E23C06917F9C0C3941413B45047A133E2C77FC6A2D62B66BD9ADCDB8B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c066e276b4c470a4 (18 x AgentTesla, 10 x Formbook, 2 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
417
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Payment Slip.exe
Verdict:
Malicious activity
Analysis date:
2022-05-28 02:20:02 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/d9479b27-6ae7-44b1-8640-548fd5f2363a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275118/
Detection(s):
SecuriteInfo.com.Variant.Lazy.189960.24131.13523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/629186d43ec49f83a6d2971e/reports/2cb17fb2-0159-485f-88f2-dba54dce1a51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/740b424c-99eb-4c62-a464-9d3e6bae1bff
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003239
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635731 Sample: Payment Slip.exe Startdate: 29/05/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 13 other signatures 2->64 7 Payment Slip.exe 7 2->7         started        11 Tnpak.exe 2->11         started        13 Tnpak.exe 2->13         started        process3 file4 38 C:\Users\user\AppData\Roaming\uerLpOim.exe, PE32 7->38 dropped 40 C:\Users\...\uerLpOim.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpCEC6.tmp, XML 7->42 dropped 44 C:\Users\user\...\Payment Slip.exe.log, ASCII 7->44 dropped 66 Writes to foreign memory regions 7->66 68 Adds a directory exclusion to Windows Defender 7->68 70 Injects a PE file into a foreign processes 7->70 15 RegSvcs.exe 2 4 7->15         started        20 powershell.exe 21 7->20         started        22 schtasks.exe 1 7->22         started        24 BackgroundTransferHost.exe 7->24         started        26 conhost.exe 11->26         started        28 conhost.exe 13->28         started        signatures5 process6 dnsIp7 46 subnet-group.com 206.189.39.129, 49750, 587 DIGITALOCEAN-ASNUS United States 15->46 48 mail.subnet-group.com 15->48 34 C:\Users\user\AppData\Roaming\...\Tnpak.exe, PE32 15->34 dropped 36 C:\Windows\System32\drivers\etc\hosts, ASCII 15->36 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->52 54 Tries to steal Mail credentials (via file / registry access) 15->54 56 5 other signatures 15->56 30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        file8 signatures9 process10
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-28 00:37:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ze7hvgbilhna3u44hkvzpgo6wnpixnhwiobepo26uojs62v7a7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0918c0111b97f8a25e9717e9b74a96c85e9f3801e2922bb050e8024edf9adff0
AgentTesla
4303985ee7b44ba9c01edd967873f8b12df0dcd267f48df10962b3368e01ff82
AgentTesla
6a0cdf63baad32236d845d0027822d4e9c67ac4f9bddd9933ada09f9811dbca5
AgentTesla
6ac706b6fe1af38091271422e7b896393f32f34924e84f15ac296d837ce56605
AgentTesla
d3e50ef8f29f78a2bff3ddf40d6eb7a25986a549beba200ad9ff678dad816279
AgentTesla
dd0bdbd65d12a9ee3c2aea6c16ca0a6bf913d09a72385bfda2b1d8a6e1011436
AgentTesla
+ 17'618 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220528-crvcwshbgr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops file in Drivers directory
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
95b626b4ba50f2fd42f47a57f2a2d56cb2c13978a80ad464fea14850fc2fb8ff
MD5 hash:
1ffb26fd0eeec96e811f60854a7776ce
SHA1 hash:
abde2617c0d4438d9a1a5ae255a31275feab2c4f
Link:
https://www.unpac.me/results/d341bd7d-7a8d-49ed-9c2f-f9b222929b75/
SH256 hash:
8eea34761755bde6873f711d42e0cea8c3a08b702c192fb02749c0a6af01c7ec
MD5 hash:
41e199eb276a7ead0799dbf2948af888
SHA1 hash:
58e52db4474a979245a79d8f7686eff2f7be6f5f
Link:
https://www.unpac.me/results/d341bd7d-7a8d-49ed-9c2f-f9b222929b75/
SH256 hash:
ff841e033b111df4dcf1664644b2cd4d0168062dab7af162996688e3f461ee12
MD5 hash:
cfbdeef87102b9d3f30dd284b1fe59d6
SHA1 hash:
67cf7aa0c4ba870dddf25114f238bc2eff70e02e
Link:
https://www.unpac.me/results/d341bd7d-7a8d-49ed-9c2f-f9b222929b75/
SH256 hash:
775c1d65f690c4af72ba56fc20fb22b2b697471f171d075be693958414b23c78
MD5 hash:
c605011e9f06df906efd878fabb67ebc
SHA1 hash:
55c0176f53e02c8206c9799a2bfbdb4ba0fe96ff
Link:
https://www.unpac.me/results/d341bd7d-7a8d-49ed-9c2f-f9b222929b75/
SH256 hash:
742bfb49cf3904931ce87b810106611867a6b4b7a8d69f308e21d9d221365b3d
MD5 hash:
81cf021b05eebb622775151dc87f2aa1
SHA1 hash:
480c103ac6e66fe00b488d286832dc89eee088a6
Link:
https://www.unpac.me/results/d341bd7d-7a8d-49ed-9c2f-f9b222929b75/
SH256 hash:
ee49f3d4c142ced06e9ce1d55cbccef59af45da7b21c123ddaf51c997b55f83e
MD5 hash:
732943a498bd8cab11530cf027a17ee1
SHA1 hash:
bb4aeed0b2b58997eeb86b110101105c64091e48
Link:
https://www.unpac.me/results/d341bd7d-7a8d-49ed-9c2f-f9b222929b75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee49f3d4c142ced06e9ce1d55cbccef59af45da7b21c123ddaf51c997b55f83e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ee49f3d4c142ced06e9ce1d55cbccef59af45da7b21c123ddaf51c997b55f83e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/275118/

Comments