MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed
SHA3-384 hash:	bde559bf519cae02a4b6c41970727fd6c5e3596047c02495d9c515a1cb88ac6a149b46ce52a332c967c0328f20292da3
SHA1 hash:	d34dc97dd02408e1304df5ba7ec66e2dcfa20584
MD5 hash:	e035bc2cbfc3910329796b79c1e7dd8b
humanhash:	west-mike-high-one
File name:	PO.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'166'336 bytes
First seen:	2022-11-22 17:43:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:k1utqdOTLC6tDmQKn842PRyQU3zUEMdE99:kMqdOa6J/KnJLJ3z0W99
Threatray	23'392 similar samples on MalwareBazaar
TLSH	T118456BCB2F714E94CB4E3870588C1B8852523DA14CFD9CF22775AA6E19564AFB69333C
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	74ecc4d4d4949494 (1 x AgentTesla)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

PO.exe

Verdict:

Malicious activity

Analysis date:

2022-11-22 17:43:37 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/925467bb-edfa-4211-bf7c-55b07fbde891

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/337316/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.389-2.UNOFFICIAL

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637d0a2b24da1c12cfe1744b/reports/7d81cc8b-953f-4104-a495-62d3c44bc9d8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1119121

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-11-22 17:09:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5z4gwf6a325lynnkuodnu5mmcpgj4ckswdjnjytfovxusp4cylwq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3d4675990a22b7b649b90e569b987c1ea4324237add09703a6935725a82b4f78

AgentTesla

4bbd85c14581647e0a4e94dd595e8ba27779633283be91601a58717abadc8be6

AgentTesla

83a8cc912b1a3d00f24d9de117fce9e695e62ace9d45ad22ec57ba903bcdecfd

AgentTesla

a157f236b925cda23175a9caeeb37842670ad730a0ad13dc9c526a81f02f7452

AgentTesla

acc9bb38581081506db62caf5850f4b8819296a1be01202b47c44d3950e7ebb2

AgentTesla

ceba86869a38a11e349256319cfbbf9badb03a8cc09cc3cdb5c0e972bdb4cf51

AgentTesla

d1130fc195b0a91917f5ce05fcfc7863c66ae495f2ac0aa955b64376df71db1e

AgentTesla

e2a90cdf08685df4fa381005a74278bb173e6e9ec543ebca1c7c3f2817dbd256

AgentTesla

f6296973ab1f1e7ab66b2ff2e79a241471555235b4ad6f909163abcaa778f3ce

AgentTesla

+ 23'382 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221122-waka5sbf84/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument

Unpacked files

SH256 hash:

4a21fc1f2ef85ac55a01155210738835d234f19295edb67b18b688735b331e74

MD5 hash:

db2b2c5c18348a548525f5daeba07d56

SHA1 hash:

99ffab9900fda264cc03740e7fbc2e4bd48dcb5d

Link:

https://www.unpac.me/results/04616b3c-7531-49ef-93fd-d7f0c8ac1190/

SH256 hash:

c78401563e8d5557050f906f12a71b10d5f0a6650d012ba6c8fbe99a11f80668

MD5 hash:

55b76ea1ac804d6fed4f499ba47a070c

SHA1 hash:

8aed16136be9eec31bc1d0c38513008acd286d9a

Detections:

AgentTesla

Link:

https://www.unpac.me/results/04616b3c-7531-49ef-93fd-d7f0c8ac1190/

Parent samples :

ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed
9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5
53643684e723ff5fe2cfef8ab65cd8395120f618223e4fa44c2fad60e0b0e29a
9196273424391332296b033958a8271b9937e8688e3a3c36bd04d5dd62f164cc

SH256 hash:

63a0f677496209d79047cacc91c90cdb8703394c4ea0b229ebcf884d9a21dc16

MD5 hash:

e935d7222a98ffdf442afcc103490b8a

SHA1 hash:

779c5d3d86ffcc97b5dcc1e4fa37d95c5b376854

Link:

https://www.unpac.me/results/04616b3c-7531-49ef-93fd-d7f0c8ac1190/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/04616b3c-7531-49ef-93fd-d7f0c8ac1190/

SH256 hash:

d3564fe3774198dcf37d0b6182ae78722d9a4053afe1c55271c8459a44d56038

MD5 hash:

bd09cbf7f491da0038d98accaaf03bab

SHA1 hash:

446cabb1103236c28ca329634672129f307ffd29

Link:

https://www.unpac.me/results/04616b3c-7531-49ef-93fd-d7f0c8ac1190/

SH256 hash:

ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed

MD5 hash:

e035bc2cbfc3910329796b79c1e7dd8b

SHA1 hash:

d34dc97dd02408e1304df5ba7ec66e2dcfa20584

Link:

https://www.unpac.me/results/04616b3c-7531-49ef-93fd-d7f0c8ac1190/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee786b17c0de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/337316/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample