MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f317e0dc1f74b0e49135d97d78c57a088121a9e70644e0eb3092489b9b753240. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 13
| SHA256 hash: | f317e0dc1f74b0e49135d97d78c57a088121a9e70644e0eb3092489b9b753240 |
|---|---|
| SHA3-384 hash: | 5308a543ecd7e0f215fbd646c1acbee9ec47a614d1ceb39dd70af49322c9008c42a9b88d304187d3e187d31ba5a76f7e |
| SHA1 hash: | ee18d46ba9e65d01803866af3766340046887171 |
| MD5 hash: | 37a2adeafcf10704d6311552b5445918 |
| humanhash: | uniform-south-oregon-victor |
| File name: | eEDJpEQHY1TA58F.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 698'880 bytes |
| First seen: | 2021-03-07 23:08:43 UTC |
| Last seen: | 2021-03-10 00:14:41 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:LalRp10L+AJcu8sN34IuJQAxwn/28fWBaTmv+F:+6JNdP29w/pRTMS |
| Threatray | 10'909 similar samples on MalwareBazaar |
| TLSH | D1E4BD01E6940AD2DFE82BF91521D040D7B57C4AAC5FE20B0B4130DDE9BEB5DA5D3AA3 |
| Reporter |  GovCERT_CH |
| Tags: | AgentTesla |
Intelligence
File Origin
# of uploads :
6
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eEDJpEQHY1TA58F.exe
Verdict:
Malicious activity
Analysis date:
2021-03-07 23:12:01 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV2
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Detection:
agenttesla
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Status:
Malicious
First seen:
2021-03-07 21:15:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
72
AV detection:
10 of 43 (23.26%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 10'899 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a4e01c1b03904c020e48cc36443ebf31d7e04f53a57d9c5ac0daccd75caff2f7
MD5 hash:
1352ff3efafc0ac9e9ab2cd08eebed2b
SHA1 hash:
acaf8d47167976790e3df88bd63ed30b0d32d49e
Detections:
win_agent_tesla_w1
Parent samples :
7c6a987b9a63992f13adc130b38aee07d79d8786178c9cf339915112a28a7a6f
436c0c803cf1ed56a09ce4ba60472e15082fccc5d84e587aebbbb159d487feb5
e9839355693536c3d416824964cdabce19938fe1bae7109567cf6d95af6f5ff3
6932cd91548a70814291bd9793e7e048526cc4f183e5aa3c9ca8ba9b243a8474
64cf6c6d753b20e2a4d9ffc5f39706602e80a90c8ed8efce79d7e6535805302f
e7aa669d895afe3d45e3b096f3f1b5d0d36c0f441175b677fe4541733f5cb61c
34b8598fe95c5cb429075ef2fe2f9246da1f9009a8fe5e735ed6f415ce2e9526
f317e0dc1f74b0e49135d97d78c57a088121a9e70644e0eb3092489b9b753240
436c0c803cf1ed56a09ce4ba60472e15082fccc5d84e587aebbbb159d487feb5
e9839355693536c3d416824964cdabce19938fe1bae7109567cf6d95af6f5ff3
6932cd91548a70814291bd9793e7e048526cc4f183e5aa3c9ca8ba9b243a8474
64cf6c6d753b20e2a4d9ffc5f39706602e80a90c8ed8efce79d7e6535805302f
e7aa669d895afe3d45e3b096f3f1b5d0d36c0f441175b677fe4541733f5cb61c
34b8598fe95c5cb429075ef2fe2f9246da1f9009a8fe5e735ed6f415ce2e9526
f317e0dc1f74b0e49135d97d78c57a088121a9e70644e0eb3092489b9b753240
SH256 hash:
f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027
MD5 hash:
d66f89bf838fb52ed59d311a99aea214
SHA1 hash:
342525c4aabbb92abf51459081d34ed0f1cdc965
SH256 hash:
e2b3d2d64b6e47088cf766591979c4184153f4a73af45c9647d007844fe693c7
MD5 hash:
0dc0b22a3acda9183486ae6f94552f34
SHA1 hash:
00d1e3524f49d45df192b62c8bb6950dca19a4ba
SH256 hash:
f317e0dc1f74b0e49135d97d78c57a088121a9e70644e0eb3092489b9b753240
MD5 hash:
37a2adeafcf10704d6311552b5445918
SHA1 hash:
ee18d46ba9e65d01803866af3766340046887171
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AgentTesla_extracted_bin |
|---|---|
| Author: | James_inthe_box |
| Description: | AgentTesla extracted |
| Rule name: | AgentTesla_mod_tough_bin |
|---|---|
| Author: | James_inthe_box |
| Reference: | https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/ |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | agent_tesla_2019 |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | CAP_HookExKeylogger |
|---|---|
| Author: | Brian C. Bell -- @biebsmalwareguy |
| Reference: | https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar |
| Rule name: | MALWARE_Win_AgentTeslaV2 |
|---|---|
| Author: | ditekSHen |
| Description: | AgenetTesla Type 2 Keylogger payload |
| Rule name: | MALWARE_Win_AgentTeslaV3 |
|---|---|
| Author: | ditekSHen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | win_agent_tesla_v1 |
|---|---|
| Author: | Johannes Bader @viql |
| Description: | detects Agent Tesla |
| Rule name: | win_agent_tesla_w1 |
|---|---|
| Author: | govcert_ch |
| Description: | Detect Agent Tesla based on common .NET code sequences |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Dropped by
AgentTesla
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.