MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a
SHA3-384 hash: 0cbe99074dba89edbfcb56db8d586c01bd80d604f5f44ddd586c7d531235cdc17d8e5a2f903a29d37ae1eb2841588f7e
SHA1 hash: 1a3bc393251aa03eb9fbd9f108fbcebc934ddda6
MD5 hash: 83d61733dae28132bbfc714fc4c8c061
humanhash: pluto-mobile-zebra-tennessee
File name:921009-2_Product_List.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:890'368 bytes
First seen:2020-10-12 07:33:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:JHlIfNAtiNl8riaE9RbdxXAkf3Z5i0k4lFa32qLOjuNEkCiY9Jug:6Wb5EpTKOq6zwg
Threatray 36 similar samples on MalwareBazaar
TLSH 3F15933ABCD40527D53A9673D5E6118AEB127983360ADE0F26D703820E4375B6DCEE9C
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Yana Ulyanova <marcel.meissner@hsp.biz>
Subject: sv: catalog
Attachment: 921009-2_Product_List.img (contains "921009-2_Product_List.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69991/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/488126
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 07:20:54 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52jsqqkqfa7og36zfmpf3uwgiuxrawetvpclvxzd5y3ezozx3i5a._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
09d9572cad1a804f85d7bc282e21a9b5e351f44fc371fbcd84cf266a28cb4a5e
AgentTesla
2485826ad6e01c5ae26b460a9152854b3a6780da46f4abbca35be5b0bd570eb3
AgentTesla
2e5c6ecfef94f9922f152344b96041b85bf2dc01136e921e2d8c644d903b708d
AgentTesla
32298d53ff378e1f1597076d02226c84755b84a84fd40f6261cd1e4cbd723384
AgentTesla
3832b8b199ec2a5c06dfc3ed80a489583043e6477668370861380ee5306d9e55
AgentTesla
4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c
AgentTesla
553ee875b3fc39e67daff6b7ace6590da149818f31bc7f84bc115858d10ab4f9
AgentTesla
8a4c19d061f37cadbd360a95a3167e980535706cd300af79b6ff4053f8ea02cc
AgentTesla
97950fbe40dd26ac4eabd641e8bae0fc8f23ce04e3c4cf06ad5e451389b80556
AgentTesla
b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d
AgentTesla
+ 26 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201012-tgezzzfehe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a
MD5 hash:
83d61733dae28132bbfc714fc4c8c061
SHA1 hash:
1a3bc393251aa03eb9fbd9f108fbcebc934ddda6
Link:
https://www.unpac.me/results/fc81db8c-effe-4668-92e5-0d2f2bed9387/
SH256 hash:
98f1ec063c0e92115eddc2992cd164eae8d96c49177483321b525364469c9cc6
MD5 hash:
415624be058a0819e01e4018900197d9
SHA1 hash:
268c761ce93ebe55398764b747b40ad175b7fb87
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/fc81db8c-effe-4668-92e5-0d2f2bed9387/
Parent samples :
55ee4e94de776d7e7748e9a321055cc59d0f0274b2b81bfae0f1f020a65ab33f
ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a
5306ccf8e071dfadc74127764af12ce26295dea128a1a73c93152fc4a5d47edf
6c7db3cbcde67820238124f2e18f872ead9184460bcfb2ab23c292f5ade625e2
7ce357f7c3475e91f3dd3880f4fbbaa6d50f7101044b8b24e2ca0ea70981286c
8ea119b72080d578b209c7daf8462f18fa70e9592bbdae7ee6ea63bd4d67e8a5
SH256 hash:
180ffca790845a22016428da671a3e4aab524a55033cf511ad11c08d9423b4e8
MD5 hash:
5b0af9e8eb522fc36f96c89af0a94618
SHA1 hash:
f47e6e5ba680dc67b0c35cfbea44758db78f99a2
Link:
https://www.unpac.me/results/fc81db8c-effe-4668-92e5-0d2f2bed9387/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 0000a8dab0b438e9341d131e1dbbad5791544c26ccb8494480494bfddd138376

AgentTesla

Executable exe ee93284150283ee36fd92b1e5dd2c6452f105893abc4badf23ee364cbb37da3a

(this sample)

  
Dropped by
MD5 17a416cb568f429d73cc5b234d2b59fd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69991/
  
Dropped by
SHA256 0000a8dab0b438e9341d131e1dbbad5791544c26ccb8494480494bfddd138376

Comments