MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
SHA3-384 hash: 3106a9421ed8dc0857171731e2fc4365225e6a716f0b2c51e3b2e15d68a4c4f6f227193c3a983fc448d827a8df6734c7
SHA1 hash: 9c577789387b202cf1fe1c40f4f87937350e9d23
MD5 hash: f0015c5c4327dc4dac62089027567d9b
humanhash: ten-eighteen-leopard-east
File name:Customer Order, Images, Spec.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:306'176 bytes
First seen:2020-12-17 06:58:23 UTC
Last seen:2020-12-17 08:32:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 412434c6590220a26bbf72c7c07a425b (7 x AgentTesla, 4 x Formbook, 1 x NanoCore)
ssdeep 6144:WJ9RDedvLg/AMS6rryYvx+64Pok9kRPyOTtgC32+BPafNXZxEWlw:yDB/vyYp+64wkaFjTtL3jdafhZG
Threatray 1'966 similar samples on MalwareBazaar
TLSH DD54128EFB19C518C1293E702A375A2CB436356A538085E09B53F554A61BAFC3CBE4DE
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Customer Order, Images, Spec.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 07:41:35 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/10c80ae1-0220-4133-bbf1-27f9513d895a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Generic.mg.f0015c5c4327dc4d.20101.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/564989
Signature
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 06:59:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=52hjw44twapg6rvrkqh54qxw7kuh33rlgecll2ajwpacdh4ruxea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f077fb618914c9f987dc7975a5e4c6372234ca35c292de29d864c494910928c
AgentTesla
2a24e55affebdf336e67fe9ba8f667b095784a6bc6857ce8b89e7c48c8a8fd21
AgentTesla
5be120d6eeb8d2f79d7bee7ba9c6e122b8b505c0cfa7f7d8ca9026ed0b78155c
AgentTesla
b0cea585c416540b6820f91a0c1cf8d8eb6776ec0cecce0709cd2c22f15f7cc3
AgentTesla
be48a66b718f94c2379453ff845e0047504573e3c0e1a9f7ab3011dab1c06b57
AgentTesla
c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25
AgentTesla
c32319a00c304265cd1bf26cba8be19edd08ebefc4cac72d1b8dccdeaace40d3
AgentTesla
ce431d943b7df67690c0c89d1556a8d9ca222a78568d56c8c3aeaccc74f40fd4
AgentTesla
f3ba2b7b17b659d41e6794dc0aeae05bb1d3f5d21dad10d5064e24f85bde7b22
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 1'956 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201217-d25geh2qne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
d9b4ba1fdc29816ae6dae571d7f4cb22795ba9a508f10f02f27b5ba11767e55c
MD5 hash:
122036093aa95aab8f81878908db1ab3
SHA1 hash:
9258179f563d8d964a77c9b4438a89eff45a65d5
Link:
https://www.unpac.me/results/49077a40-0e8a-49b7-b061-7b44dbb51731/
SH256 hash:
13ec69725927ef36cc3dc685710ba06f5a9317e745b0be4e6f94d8324a9765b7
MD5 hash:
dd71acc01d7e9b43c18b1c134a26912b
SHA1 hash:
39270c56f493fe4792aefd9b5df07f9d9fa64d89
Link:
https://www.unpac.me/results/49077a40-0e8a-49b7-b061-7b44dbb51731/
SH256 hash:
bffb93d152a159cf240ff572c854f33809cdfbdd55e1238a81add006d55f3363
MD5 hash:
57ca67b1f43493941e44f10579263602
SHA1 hash:
94fc7a9402629942aff9d6044397940c5e3489db
Link:
https://www.unpac.me/results/49077a40-0e8a-49b7-b061-7b44dbb51731/
SH256 hash:
ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
MD5 hash:
f0015c5c4327dc4dac62089027567d9b
SHA1 hash:
9c577789387b202cf1fe1c40f4f87937350e9d23
Link:
https://www.unpac.me/results/49077a40-0e8a-49b7-b061-7b44dbb51731/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 697234a66ea01428164440034fcd15f9dc45ff3434f090f641bab6ebf0e95a26

AgentTesla

Executable exe ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 697234a66ea01428164440034fcd15f9dc45ff3434f090f641bab6ebf0e95a26

Comments