MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10832ceba766c88326f1143aea412562e89d3365f4a0da4d67e5f64e8b0be9c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 16 File information Comments

SHA256 hash:	10832ceba766c88326f1143aea412562e89d3365f4a0da4d67e5f64e8b0be9c9
SHA3-384 hash:	646c70301895775772b3c4543fdc43c8baaa7a713315b10a7c12b25fcdeac20a47fab8414033cfba5280257a24d07110
SHA1 hash:	e8235306ddb50f4fa20125078d7082e0a78c7de7
MD5 hash:	390eb705ab6628469553e19cfbb95438
humanhash:	thirteen-beryllium-timing-nevada
File name:	Albaraka Türk İnternet Şubesi E-Dekontunuz.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	961'024 bytes
First seen:	2021-08-03 08:40:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:Zm4SIqW+iWvjTY8ht/DvC8c24ZqcL1yWAg1BedtcoeaX14U4prSWLlu2iN:ZmaF+R3Y83/DzXaAECtcoeaXC5Tlu1
Threatray	10'404 similar samples on MalwareBazaar
TLSH	T14D15CF2126FA1A59F3B79BF24BC4B46E8BF6F5739619F0B93E9103824321D418D52732
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.thevirabali.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Albaraka Türk İnternet Şubesi E-Dekontunuz.pdf.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-03 08:44:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ed61cb50-5175-4c74-b90c-7210ee8a87f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Creating a process from a recently created file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd3c17c1-6e57-42c6-8a59-f1931b597bc6

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/825992

Signature

Adds a directory exclusion to Windows Defender

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/10832ceba766c88326f1143aea412562e89d3365f4a0da4d67e5f64e8b0be9c9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-03 08:41:05 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ccbsz25hm3eigjxrcq5ouqjfmluj2m3f6sqnutlh4x3e5cyl5heq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

34389c63bfec9402befc3afc4d92259a43056b33d6e4b70054d50ba38d258981

AgentTesla

559ba07809e7bb16a50c8872fef5f930d54662bb95147abacd01617180b419a8

AgentTesla

6378dda8047cccbf0228f9a7c92e6c1650255bbb4fbde0e20c05149f50518dc6

AgentTesla

7a93cc0c53a02b539c07c06f9fc2d0e9b3794e6c33165e4e7cbe34c569e31278

AgentTesla

a348251ca8856d6984701e79b0946e27410542a8d6769bc0d902239ff41efc9f

AgentTesla

a5cab0a179d83d27c7cddb804f83325d5c47825b09150dd80c1ec55033d25b74

AgentTesla

dab8c3350d525d66785c80647dd39cac8fc981c7a18c66b8bea5526926c6aad6

AgentTesla

ddc8771c8289570c7409f94a657f06b68d6df2b80293f83f0d635b83b2f14dda

AgentTesla

f7e513d0306588b6a5ab536513e1ada1cc326116d0840a8fc9a029f473645b45

AgentTesla

+ 10'394 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210803-qm8zwagw8n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Unpacked files

SH256 hash:

6093c2e164169b8afa0f2263e155d3e4457615903ce2c5188390fd66dd55814e

MD5 hash:

e8be20e06fc42809f8b6f37a695653d8

SHA1 hash:

fc8184464ae09437a03fceb449961b2306a45c7f

Link:

https://www.unpac.me/results/06be37d8-f33f-4e96-97eb-a5dca3799d24/

SH256 hash:

74c20fc9d2d18797edac937c48301f4976dd1c47b6c9da3e7e2dfbcc3dc627b5

MD5 hash:

a1487ea86521420426bdb28a3fffdd3f

SHA1 hash:

bcd497451e955bcbe5409902889a241ef1a9bf93

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/06be37d8-f33f-4e96-97eb-a5dca3799d24/

Parent samples :

10832ceba766c88326f1143aea412562e89d3365f4a0da4d67e5f64e8b0be9c9
56f76a46dce436b266c15dcf4b0b849d818f06e997b65d36e3b5dab7187712b0
de2d33832ab38b68d3268580eb9df2c48bf8cc949a6d76b17255ed9427fadfc4

SH256 hash:

cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c

MD5 hash:

a0f625a3d3348903f3c902f588c0e4f5

SHA1 hash:

20d1f0b74abe6f500e8c21119f55281926210ac0

Link:

https://www.unpac.me/results/06be37d8-f33f-4e96-97eb-a5dca3799d24/

SH256 hash:

10832ceba766c88326f1143aea412562e89d3365f4a0da4d67e5f64e8b0be9c9

MD5 hash:

390eb705ab6628469553e19cfbb95438

SHA1 hash:

e8235306ddb50f4fa20125078d7082e0a78c7de7

Link:

https://www.unpac.me/results/06be37d8-f33f-4e96-97eb-a5dca3799d24/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10832ceba766c88326f1143aea412562e89d3365f4a0da4d67e5f64e8b0be9c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV2 Create hunting rule
Author:	ditekshen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_telegram_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/b4ceef1e-a649-44b7-9e0c-e53c3ab05354

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample