MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493
SHA3-384 hash:	0dc0ee2badd5b26ebb384a1ea74480a47504ec0d3010eb396f4f39cd65ffe7671a4af4ebb3157672c0c6315001937fed
SHA1 hash:	180b969aeea729149ce71088edb7d1444f23ec91
MD5 hash:	a3d86f73edafe4c67a10353b13252776
humanhash:	july-undress-victor-georgia
File name:	IMG_PI S20080071.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	559'104 bytes
First seen:	2020-08-11 12:25:59 UTC
Last seen:	2020-08-11 13:19:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:d/U2MS6HBTR0fSyG62HdPkUisULO/Zxxc:O79Tu1V2S+//xc
Threatray	257 similar samples on MalwareBazaar
TLSH	47C4E0A1B1156993CDB840F19916914107A13C79F9A0F3FB7CCEF3AB6AF27018626D27
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: server.unsubscribeasap.com
Sending IP: 198.102.14.18
From: ECANDES Sales Group <Sales@ecandes.de>
Subject: New Order ECANDES - August
Attachment: IMG_PI S20080071.img (contains "IMG_PI S20080071.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

72

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43347/

Detection(s):

SecuriteInfo.com.Generic.mg.a3d86f73edafe4c6.28830.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/418800

Signature

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-11 12:27:08 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ynomvbrhiksk4kmkcpuhc4dl5nlgqrqhr3pht3tmcsqaq2rmsjq._file

Verdict:

malicious

Similar samples:

211abb81c05810e3f08608a7035e8c4c3337de419e63257b4c3e4a1d2669aec5

2edf599121414035034dc26dfa30205d6fdea40a9e9683ef24433b3c819a0145

39599008089755aa7cccb534b2c94ccb537f266018bb67ae3ed4b9f51c0a40b9

3bb1bbf49c6e224032025dc7dacb3862e8b16c8b39e5cc19c5aceda4dbc917d9

425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df

466de5558ccea92e0395a1e775b8625f7818d3f70b8f09143935e0dc9e15a0e9

7ed29b5971fdfce885116395debc7289bf0e27966e6c72e41f0e6902b30c6575

846481e2b8fa290c2cb12b0c8803305435c9833c4c791f3d4d989db6f51838c5

9384296bb6fa6159840f84440da915fc9e93a94d476a28a33265318c0b4d03a2

f8879d92bc99f6203ffa3afdc3b27f01e90a637fcf389487ec6e672929a61a3a

+ 247 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200811-mhjd2w2sbs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 60e19bc26b53326238485650ce52b07397963f303e0c8ac3ceb23301e52c2a42

exe fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493

(this sample)

Dropped by

MD5 a9e0ce03838869f8cdfb4c1d152a6476

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/43347/

Dropped by

SHA256 60e19bc26b53326238485650ce52b07397963f303e0c8ac3ceb23301e52c2a42

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample