MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a064537eb0c0124f241adb75a147ffee6b8db597d9051c72a6c1c3c421b0b6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a064537eb0c0124f241adb75a147ffee6b8db597d9051c72a6c1c3c421b0b6d
SHA3-384 hash: 38fa49e19d8ac967aece834bf4332a839ae3239f892879b866f17ed8ec23586e20b2c58f127c35c032459878ff564c31
SHA1 hash: bf0a7e03caabca439d509efdd1469017d8dab67d
MD5 hash: a120d2e3b90d834a25db067837e80f64
humanhash: paris-iowa-oregon-happy
File name:eOIHzljG9DZTgwp.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:928'256 bytes
First seen:2020-10-25 17:21:07 UTC
Last seen:2020-10-25 18:54:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:H7/oZ2LIHez+8bYMIqEWDllAjY2OHhnr:Tzk81I+lEY2O9
Threatray 105 similar samples on MalwareBazaar
TLSH 5D15123E96686F30F1AC1B3B8865A81053FEEE059A12D67F2DC475AD8AF3BD90444317
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: transfopam.com
Sending IP: 83.149.84.75
From: Logistic Manager <purchase@transfopam.com>
Subject: PACKING LIST -170957 & BILL OF LADING #BLI-170685 / Departure 27th OCT 2020
Attachment: PACKING LIST PL-1070957 BILL OF LADING BLI-170685.PDF.IMG (contains "eOIHzljG9DZTgwp.exe")

AgentTesla SMTP exfil server:
mail.thanhphet.asia:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75820/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.3641.20682.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/509577
Signature
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303906 Sample: eOIHzljG9DZTgwp.exe Startdate: 25/10/2020 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 8 other signatures 2->47 8 eOIHzljG9DZTgwp.exe 7 2->8         started        process3 file4 29 C:\Users\user\AppData\Roaming\zJrndjuV.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmpB206.tmp, XML 8->31 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->59 12 eOIHzljG9DZTgwp.exe 6 8->12         started        15 schtasks.exe 1 8->15         started        signatures5 process6 file7 33 C:\Users\user\AppData\Roaming\wXiyJGP.exe, PE32 12->33 dropped 17 eOIHzljG9DZTgwp.exe 15 2 12->17         started        21 schtasks.exe 1 12->21         started        23 eOIHzljG9DZTgwp.exe 12->23         started        25 conhost.exe 15->25         started        process8 dnsIp9 35 mail.thanhphet.asia 192.185.113.157, 49713, 587 UNIFIEDLAYER-AS-1US United States 17->35 37 elb097307-934924932.us-east-1.elb.amazonaws.com 54.204.14.42, 443, 49712 AMAZON-AESUS United States 17->37 39 2 other IPs or domains 17->39 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->49 51 Tries to steal Mail credentials (via file access) 17->51 53 Tries to harvest and steal ftp login credentials 17->53 55 2 other signatures 17->55 27 conhost.exe 21->27         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a064537eb0c0124f241adb75a147ffee6b8db597d9051c72a6c1c3c421b0b6d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-25 09:37:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=didekn7lbqasj4sbvw3vufd773tlrw2zpwifdrzknqodyqq3bnwq._file
Verdict:
unknown
Similar samples:
22e8a783296dcabf49cb2c9b5f5a05b1cf670591e71130b08424a450aa54c419
AgentTesla
287597fcffd11298b757ac806606000d8dd4c3c2641891c1932a1e76348d9922
AgentTesla
37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
AgentTesla
94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d
AgentTesla
9693d78b6cb6fcdb5e129c278d307d7fa6bef2fff302498909640051f22b730e
AgentTesla
a7154f13f8a8a66f47afafe4099e6e760aef60af8eb8d66de0d8ee83cfe1ef8b
AgentTesla
b35741dc7b3748ad255394b04aa0b6f2a25fda177ba6ad504a2b802f555c33b2
AgentTesla
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
AgentTesla
+ 95 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201025-bfl5x4pk6e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1a064537eb0c0124f241adb75a147ffee6b8db597d9051c72a6c1c3c421b0b6d
MD5 hash:
a120d2e3b90d834a25db067837e80f64
SHA1 hash:
bf0a7e03caabca439d509efdd1469017d8dab67d
Link:
https://www.unpac.me/results/47a44c56-57f1-4138-9338-ddbbaa075e4f/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/47a44c56-57f1-4138-9338-ddbbaa075e4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a064537eb0c0124f241adb75a147ffee6b8db597d9051c72a6c1c3c421b0b6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:unixredflags
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for red flags
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 39cef71d1691d0987af0c0a982789d5f2234d245a37d7d7ff7d6604ee0856299

AgentTesla

Executable exe 1a064537eb0c0124f241adb75a147ffee6b8db597d9051c72a6c1c3c421b0b6d

(this sample)

  
Dropped by
MD5 5f3486fb6bc14fb75c7cd01c7606d6e9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75820/
  
Dropped by
SHA256 39cef71d1691d0987af0c0a982789d5f2234d245a37d7d7ff7d6604ee0856299

Comments