MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ffeb38588c3b63f2ec6ce65f8296a6d3c4c0c43eb893486295f37ef0aeaa21e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ffeb38588c3b63f2ec6ce65f8296a6d3c4c0c43eb893486295f37ef0aeaa21e
SHA3-384 hash: 6e2a94540b82133d68977d94caa93b7ce3f8cd8ae43112517aba39f523adccf81335176a1a8f9bab37fb17c54417950f
SHA1 hash: 39ef3a4e8a8f2e7534890eb6a41fda39c843c086
MD5 hash: ab14702961098e242a758997f35f3c18
humanhash: angel-muppet-violet-west
File name:ab14702961098e242a758997f35f3c18.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:682'496 bytes
First seen:2020-10-12 09:57:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 010f3e42f15e9eb57a4a9a1dad838a51 (10 x Loki, 8 x AgentTesla, 3 x MassLogger)
ssdeep 12288:8AindXhz+XwfE0CQPW7q0dzQNqJHRrUtqGJk+5TgCtp/:Ti16wf9aNzQ4lFUtqG50Cj
Threatray 1'710 similar samples on MalwareBazaar
TLSH 39E4BF22E2E17433C1273A3D9CDB576C982DBE503D2869462BF55C4F9F3D681782A293
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yussmed.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488291
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296600 Sample: 2jqWaBNwy0.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected AgentTesla 2->27 29 .NET source code contains very large array initializations 2->29 31 Machine Learning detection for sample 2->31 6 newapp.exe 2->6         started        9 2jqWaBNwy0.exe 2->9         started        11 newapp.exe 2->11         started        process3 signatures4 33 Multi AV Scanner detection for dropped file 6->33 35 Detected unpacking (changes PE section rights) 6->35 37 Detected unpacking (overwrites its own PE header) 6->37 45 3 other signatures 6->45 13 newapp.exe 4 6->13         started        39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->41 43 Maps a DLL or memory area into another process 9->43 16 2jqWaBNwy0.exe 2 7 9->16         started        19 newapp.exe 4 11->19         started        process5 file6 47 Tries to harvest and steal browser information (history, passwords, etc) 13->47 21 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->21 dropped 23 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 16->23 dropped 49 Tries to steal Mail credentials (via file access) 16->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->51 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ffeb38588c3b63f2ec6ce65f8296a6d3c4c0c43eb893486295f37ef0aeaa21e/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 09:58:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b77lhbmiyo3d6lwgzzs7qklknu6eydcd5oetjbrjl4366cxkuipa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241
AgentTesla
2c0e567384a59c0f113b5016aae24db45e1a7e39a0c9feb157eb98864af4a51f
AgentTesla
40ad91b6933578e04f70c93df1390205dda69285cb0a08337296bccf03a01d40
AgentTesla
814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4
AgentTesla
c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0
AgentTesla
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
AgentTesla
e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 1'700 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence spyware
Link:
https://tria.ge/reports/201012-gpe8azjqke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
0ffeb38588c3b63f2ec6ce65f8296a6d3c4c0c43eb893486295f37ef0aeaa21e
MD5 hash:
ab14702961098e242a758997f35f3c18
SHA1 hash:
39ef3a4e8a8f2e7534890eb6a41fda39c843c086
Link:
https://www.unpac.me/results/549a4701-2d7d-4830-8d25-0c884c394252/
SH256 hash:
f54842980cba8deabaa9cb132049c69b436fa3e1fdf63a510ccee7f1eafbf2c8
MD5 hash:
4eb70431aceb01cfef345075ee6934ac
SHA1 hash:
bcb8a7c52ed7e1e7a0e96e883d6c389f4cec243c
Link:
https://www.unpac.me/results/549a4701-2d7d-4830-8d25-0c884c394252/
SH256 hash:
75d876c6f5f63dde11338c00dc28ddc3472be9a5091154d4c0df20a0a4f91c81
MD5 hash:
58e38fad612f4aadfdde344cb38dc1d4
SHA1 hash:
7faf38b024b6b520f505ee1ae68e81292645fe12
Link:
https://www.unpac.me/results/549a4701-2d7d-4830-8d25-0c884c394252/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ffeb38588c3b63f2ec6ce65f8296a6d3c4c0c43eb893486295f37ef0aeaa21e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0ffeb38588c3b63f2ec6ce65f8296a6d3c4c0c43eb893486295f37ef0aeaa21e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/460184/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/70060/

Comments