MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675
SHA3-384 hash: 6bfe69ea7c5e8841f60621cea5435528a168584a5e69e6f39a48c81f729484fbebae99b0d0de8e7fe9ed96a5fe317aa0
SHA1 hash: 335f5107d14c8d8061b7ff2881e2f2e31de88db8
MD5 hash: 9decac95c3ec784cf12ceafbd5c1af6a
humanhash: fifteen-wisconsin-item-fifteen
File name:BBVA-Confirming Contrato de Cesión de Créditos Sin Recurso.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:681'984 bytes
First seen:2020-10-16 17:46:21 UTC
Last seen:2020-10-16 19:22:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ZqA/sr3m+3u24//Pubbwv8FmNI5sWSaGkhwqULAk7sbo9hMjI7APFN1:V/sr3hQ/P/NI5a1mULAk7sMvr72v
Threatray 638 similar samples on MalwareBazaar
TLSH D5E4DF217719AF58E1BE837798A4489493FAED06D332D52A3DF832CE45B1FA49132707
Reporter abuse_ch
Tags:AgentTesla BBVA ESP exe geo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ns1.evs16.com
Sending IP: 91.142.214.192
From: Confirming_bbva@bbva.com
Subject: BBVA-Confirming Contrato de Cesión de Créditos Sin Recurso
Attachment: BBVA-Confirming Contrato de Cesión de Créditos Sin Recurso.rar (contains "BBVA-Confirming Contrato de Cesión de Créditos Sin Recurso.exe")

AgentTesla SMTP exfil server:
mail.mylgestion.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72222/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.jc.19848.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494025
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 10:33:01 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajvtr2hlbzhvaxofmajemfb6pz33xutdboi56udcfz5bjydsqz2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1011042b7b2b5de9a160551cd8a212a24108b85935744f0cfbe29f8729b57d17
AgentTesla
38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
5193daa3e21a010020f044a9167f141a4c9e62d8f19b21dc82049045a2fbee48
AgentTesla
874d56e400622b93fb1606b348a4fc41c112de5c69cc13ef0845d378db9ef6a6
AgentTesla
92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49
AgentTesla
be83ef519ed5e3e444b10b4dd8a77515cda4993c6ce69f565405c9c2bd0901bc
AgentTesla
de92f367f0cd6124c89fca0b754bf8dafe8a6a993b56380edb5fc8676c58cdb5
AgentTesla
f825e9c3e852a8827bfd8deffef97e1b27ad1b0c0dd97e4806d07bba95c65570
AgentTesla
fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
AgentTesla
+ 628 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201016-v7kq7q8tzn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675
MD5 hash:
9decac95c3ec784cf12ceafbd5c1af6a
SHA1 hash:
335f5107d14c8d8061b7ff2881e2f2e31de88db8
Link:
https://www.unpac.me/results/58bc5239-9a5a-4c92-b1c2-03c8f4c31850/
SH256 hash:
5468f9fdc015f5e2e4bad9bb7d7161a3a2d23d10f4d1fa2eda6aa75a0cb4d598
MD5 hash:
09e3b8f3d30e07d83b28b7ca10a59108
SHA1 hash:
309b889654563fd8696a2466341b9f286fa4be5d
Link:
https://www.unpac.me/results/58bc5239-9a5a-4c92-b1c2-03c8f4c31850/
SH256 hash:
c8c79ba04ab76c96db913f05b4b5bab36e7e0148fd72148df170a4be94d879a3
MD5 hash:
cddedf1345f0ee6986b566b1bd7a5329
SHA1 hash:
5a845beb5cd9c95e52d7316ab5419c8c399af82b
Link:
https://www.unpac.me/results/58bc5239-9a5a-4c92-b1c2-03c8f4c31850/
SH256 hash:
913b46e3ca792b8de9faa33a42de61ea399134fbf548a93ae005f78f4b1a0c33
MD5 hash:
adeaa10a548d9e642e286ca2d4ee917f
SHA1 hash:
dbf24ed8cab7da794716ac0b02c41c7b84222a16
Link:
https://www.unpac.me/results/58bc5239-9a5a-4c92-b1c2-03c8f4c31850/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/58bc5239-9a5a-4c92-b1c2-03c8f4c31850/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 43a7b28937e3615a4d54482e95f37071dd2d6ea1a18e4332d6860efebda1ca83

AgentTesla

Executable exe 026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675

(this sample)

  
Dropped by
MD5 79782c53768f51970d0a54132c747987
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72222/
  
Dropped by
SHA256 43a7b28937e3615a4d54482e95f37071dd2d6ea1a18e4332d6860efebda1ca83

Comments