MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805
SHA3-384 hash: ad9363a534ca047c7a1eee55172bebcb2d7c5c4753c6d18b0215700e0dd4b6602cbdcc801814d27cbbe8a35376eb6d99
SHA1 hash: 7f628ad5dd8fcd6b58b6b19d583111d041dd0581
MD5 hash: 16f3433ee5c743b8e296615aa62f74e3
humanhash: oregon-island-lamp-floor
File name:240-20201013-887387-MT103.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:702'976 bytes
First seen:2020-10-13 07:19:36 UTC
Last seen:2020-10-13 08:21:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:try8TiAhyYVMlBftHzQXX/vf4vCIHtLb7PCLsCsbn:tW6T0QETzQXX/n+NnzCYB
Threatray 596 similar samples on MalwareBazaar
TLSH C3E4E03B32F96F21E07EDBBD1A60454417F2E447F322D56F7DBA01A94193F860BA2612
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hsbc.com.hk
Sending IP: 91.132.139.169
From: The Hongkong and Shanghai Banking Corporation Limited (HSBC) <customerservice@hsbc.com.hk>
Subject: Re: Bank Transfer Notification
Attachment: 240-20201013-887387-MT103.zip (contains "240-20201013-887387-MT103.exe")

AgentTesla SMTP exfil server:
smtp.foxmalil.com:587

AgentTesla SMTP exfil email address:
logs01@foxmalil.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70305/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.445.8121.23072.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489292
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 03:36:49 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6frv7fh62v3owdiku76ak74bivat6pz64xb7e4g6mpvvo47lacq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01a16a12d3dd5d0128710c4257088b8b561a1166b4d160267a1efaeeb2d4fc45
AgentTesla
19b7ae6956a38825ac143952843f6e046c642a9dc635e18d4f84dcff4568c142
AgentTesla
3e695a89076841d73f8bc2984ab615906d0896dcee90ee84317228b34bedae9f
AgentTesla
7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9
AgentTesla
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
AgentTesla
b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d
AgentTesla
b6dac3c563e7b771fa56992d6c5ac321278e8ff4653b5f50f283855e672cdb3d
AgentTesla
df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209
AgentTesla
e03c4f9c8ae0b28a7538315c3af97428339911bd6118371c0459adfd14abca44
AgentTesla
ecd02b07f2d16323eb97c26de4ed644479f33bd6c20fe4b554cff7ef1b62c300
AgentTesla
+ 586 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201013-yptsetbasn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805
MD5 hash:
16f3433ee5c743b8e296615aa62f74e3
SHA1 hash:
7f628ad5dd8fcd6b58b6b19d583111d041dd0581
Link:
https://www.unpac.me/results/f2f4c65f-4983-4efa-a7e7-65486ca0ab17/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/f2f4c65f-4983-4efa-a7e7-65486ca0ab17/
SH256 hash:
26fe66a1516042ea31a521f54e77e9742560eaaa444259faa0c302d1be1bfd34
MD5 hash:
795cff0c09dfaa17239d316362a2ccf2
SHA1 hash:
377a373e595d037fa45fa592b52f4548f79bce2a
Link:
https://www.unpac.me/results/f2f4c65f-4983-4efa-a7e7-65486ca0ab17/
SH256 hash:
6d86e26214990e7fc754be975b3b8268ec6f42c7246e88bdd1dff03922096c88
MD5 hash:
78384f14396f1c3181913ff288397df2
SHA1 hash:
4af1a965fb516a8aa2faecdf84409539f84c2c5e
Link:
https://www.unpac.me/results/f2f4c65f-4983-4efa-a7e7-65486ca0ab17/
SH256 hash:
e4ab3e79e93f1956abb7a5eb6f2e7602271ba02cb7346fd1d3737f39c0071cce
MD5 hash:
00adfba1b96cfe653d8d6ec8b82d2033
SHA1 hash:
bff876876bca8dab7dadd6770c7294e14b75f578
Link:
https://www.unpac.me/results/f2f4c65f-4983-4efa-a7e7-65486ca0ab17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8b9d67c7c061d216e0138559840fe22d7bdd705b9fbb9f643b4e1e1e4281f128

AgentTesla

Executable exe 878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805

(this sample)

  
Dropped by
MD5 5ddedec2fdade672292a0e82526261fd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8b9d67c7c061d216e0138559840fe22d7bdd705b9fbb9f643b4e1e1e4281f128
Cape
Cape
https://www.capesandbox.com/analysis/70305/

Comments