MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa
SHA3-384 hash: 1574ae357d21153b7faf01ce0a8cf2949bcd22b553149407a6c1481e7e41b69b012e445251e7bdca4249de69268ae071
SHA1 hash: dfa7800cef99a8d7cb788f46678c6d9643ced770
MD5 hash: f6c71b6ee2820f9774d8a02aa3dac876
humanhash: sad-west-dakota-pip
File name:Facturas Pagadas al Vencimiento.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:632'832 bytes
First seen:2020-10-06 06:28:51 UTC
Last seen:2020-10-06 08:12:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:4hM66AFHLUbi0VlSbNqycWNRyuSB5/TmsiEN:4Glkr7qycWNYhB5bm8
Threatray 341 similar samples on MalwareBazaar
TLSH F1D4011923B8D716D4BD573A6020211037F5E8479726F38DEEAAB05DB933BC4CE91B92
Reporter abuse_ch
Tags:AgentTesla BBVA ESP exe geo


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: Confirming.bbva@bbva.com
Subject: BBVA-Confirming Facturas Pagadas al Vencimiento
Attachment: Facturas Pagadas al Vencimiento.rar (contains "Facturas Pagadas al Vencimiento.exe")

AgentTesla SMTP exfil server:
mail.gascuenca.es:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68479/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482456
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 04:47:28 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lg56h46j2bgrqajgwe4w3tncl5jtusi2sisv77p4uswlnjwkpp5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
8ab355a4e825d4b233ce66f8e5f5b75b4c161cbb25f070f3355b6b15625dc784
AgentTesla
9a09e075c72d1054035ab56fc790933d097a8a3986e0a1eca8b925606d304956
AgentTesla
9d9e3278180f9d8b038c943eaf74a91002f30ff456bc7e8dfef40ef1a4e8fb4a
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
AgentTesla
c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c
AgentTesla
fa2bcbff57b3c111ea69b6f47cb4f39c4111b124ef97e3ee00347a175f67e93d
AgentTesla
+ 331 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201006-nbx7k76xk6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa
MD5 hash:
f6c71b6ee2820f9774d8a02aa3dac876
SHA1 hash:
dfa7800cef99a8d7cb788f46678c6d9643ced770
Link:
https://www.unpac.me/results/f11a2363-7021-4d7b-b182-c3bdcd3a7ccc/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/f11a2363-7021-4d7b-b182-c3bdcd3a7ccc/
SH256 hash:
012cf8065e59785e82d5782dc1c522c582df2d723e7a5391dc3667c42bdf3ff5
MD5 hash:
ca2558991f636736e36e6987ccd61575
SHA1 hash:
674c2b3dbc1bdf572f1a02b8240123cc864d4cff
Link:
https://www.unpac.me/results/f11a2363-7021-4d7b-b182-c3bdcd3a7ccc/
SH256 hash:
f4eb0018f5a17e5c47652ffd346ffeda4413d577d21c260a19d65fa3865aef11
MD5 hash:
e33c0ee2c749b92f2227a36a74031e3b
SHA1 hash:
a9c4f21cb1f2fa09065b7d3358825b12e17c59ba
Link:
https://www.unpac.me/results/f11a2363-7021-4d7b-b182-c3bdcd3a7ccc/
SH256 hash:
e85d2798db218f6a89b107b3d0be31f9d5fd1fd0e911d3e852050ae2e4c5829d
MD5 hash:
0caf8915853e65f79be1389854064589
SHA1 hash:
bb630eec12da0af3d51fd98112aeb66857f569e6
Link:
https://www.unpac.me/results/f11a2363-7021-4d7b-b182-c3bdcd3a7ccc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 5b2a685def418da9584a44084f68624519f2dab5fd6f36b73f63e7d1304e9d65

AgentTesla

Executable exe 59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa

(this sample)

  
Dropped by
MD5 349eb21119ed5b18c1440491e489b507
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68479/
  
Dropped by
SHA256 5b2a685def418da9584a44084f68624519f2dab5fd6f36b73f63e7d1304e9d65

Comments