MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff867e475abe496c04c7a4193d8cdb9d5687846fd3d61bbb439aaab0d9f7496. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff867e475abe496c04c7a4193d8cdb9d5687846fd3d61bbb439aaab0d9f7496
SHA3-384 hash: 974a2897f1dd04c9a85a74cc7cda7b3744b4747844eb279f5a15c30f843cee2bc6e8e4c418d1b65f4325dcb5937afec5
SHA1 hash: 66b1c925d0ac806f04d714f20c0944b3ecdda9ae
MD5 hash: 63ace791092dc37993022fcb537e23df
humanhash: wisconsin-mexico-network-yankee
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:279'495 bytes
First seen:2021-03-09 14:16:31 UTC
Last seen:2021-03-09 16:05:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:MBlL/HoJ5WjJOCLiuws35N1/wmEj358pXCecs:mBov2Oa35/o3GpX9B
Threatray 3'098 similar samples on MalwareBazaar
TLSH EC5412A572D4C8B6F10B02F52B76D621E2B397491000578BA3702D7B1EB6BCB9E1B573
Reporter abuse_ch
Tags:AgentTesla exe geo TUR ZiraatBank


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: yue0.grahnam.casa
Sending IP: 194.87.138.211
From: ZIRAAT BANKASI <ziraatbank@ileti.ziraatbank.com.tr>
Reply-To: ZIRAAT BANKASI <ziraatbank@ileti.ziraatbank.com.tr>
Subject: 20000, EUR Swift Bildirimi
Attachment: Ziraat Bankasi Swift Mesaji.r19 (contains "Ziraat Bankasi Swift Mesaji.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-09 14:23:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8dbc9df-fd5c-4d14-b480-0a9fa6a56691

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123240/
Detection(s):
SecuriteInfo.com.Variant.Barys.102245.28767.31657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/632913
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Spyware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 14:17:07 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f74gpzdvvpsjnqcmpjazhwgnxhkwq6cg7u6wdo5uhgvkwdm7osla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
013066864283e4be87e7bd39b6e75ef40e98014377d520ffd213a8de2d59923f
AgentTesla
10af1d92dad836fcb80093f9715d0515f5de7ead530b401f7c537afa08ab3117
AgentTesla
168d180de146160d0ba93335e36e00d62029ea13f0a41ace68a76e8a2b547ac3
AgentTesla
9cc817f0205da4bde1d938e1817aa98fe4f4a5dcbcaffbe8b45041e24c105aa0
AgentTesla
d2fdd26effc669ec89f294c59ba3bd55a698c75fe89404655b6b010ef76f2237
AgentTesla
dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2
AgentTesla
ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e
AgentTesla
eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06
AgentTesla
f7af12b666ffa2eb7f5c8a4bdf258b4b47138f8fe21f7f11271581caa891918d
AgentTesla
fc6ea0c4fe6733f5e28ff0476efbacb55d2f8ce35e4313988454f77c819afb56
AgentTesla
+ 3'088 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210309-ml9sqklnqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
2ff867e475abe496c04c7a4193d8cdb9d5687846fd3d61bbb439aaab0d9f7496
MD5 hash:
63ace791092dc37993022fcb537e23df
SHA1 hash:
66b1c925d0ac806f04d714f20c0944b3ecdda9ae
Link:
https://www.unpac.me/results/f288f1a8-bf4b-4499-a741-a53142be9adf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff867e475abe496c04c7a4193d8cdb9d5687846fd3d61bbb439aaab0d9f7496

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 577b6bc2e507a84e137c0a11862a0cc827fe0621c70b5936df665b93a2b0beda

AgentTesla

Executable exe 2ff867e475abe496c04c7a4193d8cdb9d5687846fd3d61bbb439aaab0d9f7496

(this sample)

  
Dropped by
MD5 f12fd87f6fc477292a45d1b9f4bb4b49
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123240/
  
Dropped by
SHA256 577b6bc2e507a84e137c0a11862a0cc827fe0621c70b5936df665b93a2b0beda

Comments