MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93709182d579b433aa5f5fe1e4eeba4de3b5e497f78a5ef34d35bcd981f49f15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93709182d579b433aa5f5fe1e4eeba4de3b5e497f78a5ef34d35bcd981f49f15
SHA3-384 hash: 03044f0c33766dcdee8fcd12783ff881754a3ea5ccf39d5b69c2d2d5b244cfe3c2bb19c2aea3aae1c937fd2a2d494c04
SHA1 hash: 78e6aec1a778e901f289369ddfd2144fe9d595df
MD5 hash: 31d7c9de4d1b739ec63418eb198e84b3
humanhash: tennessee-queen-william-twelve
File name:ebuka.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:685'568 bytes
First seen:2021-07-27 06:04:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:nOz2v4SvqPzMj5FXiZI2DPYHaOh+Z6DQFyb/+Cq1qZEnbC1RQ29SIa7mo5oFCEkv:ne2AgqPzMNFXiO2jNOh+ZNF0FEnbH7mc
Threatray 7'392 similar samples on MalwareBazaar
TLSH T109E4BFF935393B5FF49384BE54B45CA2696014FAC92EC782F32341AAEF0C49B99406D7
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ebuka.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-27 06:06:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a076808-9b84-4000-8e8e-7759050cf181

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174230/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17225.7935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b40254de-a2ef-4842-b5b5-6ee4dfc0486a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822121
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454533 Sample: ebuka.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 3 other signatures 2->57 6 ebuka.exe 3 2->6         started        10 NXLun.exe 2 2->10         started        12 NXLun.exe 1 2->12         started        process3 file4 29 C:\Users\user\AppData\Local\...\ebuka.exe.log, ASCII 6->29 dropped 59 Writes to foreign memory regions 6->59 61 Injects a PE file into a foreign processes 6->61 14 RegSvcs.exe 2 4 6->14         started        19 RegSvcs.exe 6->19         started        21 RegSvcs.exe 6->21         started        23 RegSvcs.exe 6->23         started        25 conhost.exe 10->25         started        27 conhost.exe 12->27         started        signatures5 process6 dnsIp7 35 mail.rgp.com.pk 14->35 37 email.rgp.com.pk 192.185.99.6, 49767, 587 UNIFIEDLAYER-AS-1US United States 14->37 31 C:\Users\user\AppData\Roaming\...31XLun.exe, PE32 14->31 dropped 33 C:\Windows\System32\drivers\etc\hosts, ASCII 14->33 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file access) 14->41 43 Tries to harvest and steal ftp login credentials 14->43 49 3 other signatures 14->49 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->47 file8 signatures9
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 00:11:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=snyjdawvpg2dhks7l7q6j3v2jxr3lzex66ff542ngw6ntaput4kq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3280a97200b04ee7c4269d468acdde031570d46d59b7991948c22fcf9fbf4773
AgentTesla
5819733ed35e38adfd24c6c0b9da7efcc49e611b82c3fa5ab3e716c3fe63d295
AgentTesla
73f2e9b534cff49f248d0d3469902ac7c3150da888786e5cde16a935ce4ce0c2
AgentTesla
b915e46bfe27a03870fb223223ff2af61c15226a650031317d2acf558c55a3a9
AgentTesla
b95c99701d429de9d8f52792d7a2b462ec6e342618a04ef419710b42e76293ff
AgentTesla
ba62b8b54d27d67747de2d3a89012d81b9f5b51a6b7137fad783b9aae4ad9dd4
AgentTesla
df730a5c1462ced883e78b64dbb7d34c7687b3e0b20914559a87a3719496818f
AgentTesla
e700f33183adc4f25318e82877e7bd4fabac1a9087d72bc4c1d1d98e80ea7fcd
AgentTesla
eed29bcc7839a20dbdfb496d946de1f47404b693dff72cabfbd4d21f26d8ecd3
AgentTesla
+ 7'382 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210727-h8gdpr8gg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
820abd087ca3c9546447d516562e8df022eadf4f8794d6db787cf7cae7846e8d
MD5 hash:
c69fb3c0f7fba8d84563f6762795831c
SHA1 hash:
eba1d5cc1f8d0166d46a2b87eae45c65e22344a3
Link:
https://www.unpac.me/results/d7fbb234-55da-4f41-98fe-22d436f97138/
SH256 hash:
c6cae2b3601cfebc4b633521906117a7bf5d2853c332ba1689b5438b71b4fe8b
MD5 hash:
3b9791581e180343f64a0f1a7af031d8
SHA1 hash:
a2935c88c90052245847c749bda6a6b93bda616e
Link:
https://www.unpac.me/results/d7fbb234-55da-4f41-98fe-22d436f97138/
SH256 hash:
5dd20a76b06d9fb95796873684f527371c087592ec66a0c3dfb3179297852c58
MD5 hash:
0c91b395e01b9471132cc3bab390a060
SHA1 hash:
853a3419b5dce2036898dcae502872150b9c25ab
Link:
https://www.unpac.me/results/d7fbb234-55da-4f41-98fe-22d436f97138/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/d7fbb234-55da-4f41-98fe-22d436f97138/
SH256 hash:
93709182d579b433aa5f5fe1e4eeba4de3b5e497f78a5ef34d35bcd981f49f15
MD5 hash:
31d7c9de4d1b739ec63418eb198e84b3
SHA1 hash:
78e6aec1a778e901f289369ddfd2144fe9d595df
Link:
https://www.unpac.me/results/d7fbb234-55da-4f41-98fe-22d436f97138/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93709182d579b433aa5f5fe1e4eeba4de3b5e497f78a5ef34d35bcd981f49f15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d2a9e5fd925d49872bb2412d446d162dd47673f1f94998589d1a663d28419e67

AgentTesla

Executable exe 93709182d579b433aa5f5fe1e4eeba4de3b5e497f78a5ef34d35bcd981f49f15

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d2a9e5fd925d49872bb2412d446d162dd47673f1f94998589d1a663d28419e67
Cape
Cape
https://www.capesandbox.com/analysis/174230/

Comments