MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d
SHA3-384 hash: 7a1470ee3e7051dbfb0cea029d9cdd0d5b84a47d6fa8df2f76dd5f84c7613fa9c38e2d534dacb20260fc8b31961e8e6b
SHA1 hash: ff6576a6d5d23d775a4960b7ccbb5727044501c9
MD5 hash: fc9e2df82fdda41c3cbbe5037c9afa51
humanhash: johnny-high-coffee-summer
File name:Payment Advice_ #MT103_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:811'008 bytes
First seen:2020-09-23 06:15:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d58e68fdbbd7a7d3afa6a6992702bd2 (5 x AgentTesla, 1 x Loki)
ssdeep 12288:GjbBOJuk1EYLwotbltPbjn1gFi7Vik4BKVToDdE0iKKEDB:dn7LPXVui7ViFrRDi+9
Threatray 752 similar samples on MalwareBazaar
TLSH EE058D26B3B24873D1632A3C9C1BD7749836BE302D28B9466FF5DC489F7964138292D7
Reporter sergedroz
Tags:Agent Tesla AgentTesla


Avatar
sergedroz
Date: Wed, 23 Sep 2020 07:14:04 +0200
From: "HSBC SERVICES LTD." <zaklina.rakic@barajevo.org.rs>
To: undisclosed-recipients:;
Subject: Re: Payment Advice 22/09/2020 - Advice Ref:[GLV924565043] / ACH
credits / Customer Ref:[C27-20190911-142533] / Second Party Ref:[512389801785]
Message-ID: <5e91d820a4569d4d6b3942d524ae277d@barajevo.org.rs>
X-Sender: zaklina.rakic@barajevo.org.rs
User-Agent: Roundcube Webmail/1.3.14


ace compressed

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/473018
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-09-23 06:17:05 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtv2b3gzj2ef6mvs5g3ig43jdnbyq7tq626jaody7w3ukup4sgoq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0b1453de5134635dc69e8359da060210c55e2af6c875497512db6332486e3ea0
AgentTesla
125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1
AgentTesla
15ef597d7c75003efe90c9a85c5a80066671c664a1db0ea6be28c0e0f1370be3
AgentTesla
20d228902e80950b04fb2ef5964593b0e9da70ceb731df60a4d77f8a7a9cfb28
AgentTesla
a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd
AgentTesla
c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd
AgentTesla
cd2b2d05e9154852f77c8377ee83f620951e47047bb702e026690508fee44416
AgentTesla
d09186afeb1460fe7e7e33f7e319ecb280374f7c49b4240dfacc397323333834
AgentTesla
d98f8380522e71c61b91d1fbdf98c0528fc20388a85695529824754f00a183a1
AgentTesla
f2c20a14052af4c93a5f7cb4e27c106e9a9d2c1be1797a03e5874720d53f255f
AgentTesla
+ 742 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200923-3re3rebt62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d

(this sample)

Joe
Joe Sandbox
https://www.joesandbox.com/analysis/288949/0/html
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/64691/

Comments