MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b
SHA3-384 hash: e7a23777e03de85e53da117eca8408d6eedcb5a9d41a95b2af8e3a1a90e284e19f55e29002daebc43aa812415f63e04d
SHA1 hash: 442eaa27d23dc72fd96c9d2d984068669afbeb5d
MD5 hash: 8bdf3d3cb7c7680df5b8d6385dc5db82
humanhash: seventeen-mango-friend-johnny
File name:Halkbank_Ekstre_20210113_162325_384771.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:517'632 bytes
First seen:2021-01-13 20:12:43 UTC
Last seen:2021-01-13 21:59:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7da020c2fad0c59a3d5e97971484548 (3 x Formbook, 2 x AgentTesla, 2 x Loki)
ssdeep 6144:Lr1I5DbAQcHAORYANc73CoNUkJYUTIHRghDfeIenXA87i+uLJl98xCoxCB:/1I5fAPHQNUdHID9Yb7PO9YCB
Threatray 210 similar samples on MalwareBazaar
TLSH E4B4E0663AA294F3C5694A73BC246776B2777C2102A444EFEBA8FCD91933780D02517F
Reporter abuse_ch
Tags:AgentTesla exe geo Halkbank TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: halkbank.com.tr
Sending IP: 155.94.185.117
From: HALKBANK.E-EKSTRE@halkbank.com.tr
Subject: T.HALK BANKASI A.Ş. 01.01.2021 - 12.01.2021 Hesap Ekstresi
Attachment: Halkbank_Ekstre_20210113_162325_384771.r00 (contains "Halkbank_Ekstre_20210113_162325_384771.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20210113_162325_384771.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 05:43:58 UTC
Tags:
rat agenttesla trojan
Link:
https://app.any.run/tasks/6875b569-46b4-46e8-ac83-326d246cf66b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111852/
Detection(s):
SecuriteInfo.com.Artemis8BDF3D3CB7C7.29614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580655
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 20:13:15 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=upcwjw4vg74ea44crzbk7boakwhhmpfschuaxvdfhzbj5s3cz2fq._file
Verdict:
unknown
Similar samples:
1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40
AgentTesla
1f9d1bffe188b76bbd97cb2fd59ab47248b71fcede2f415ca29fcc0f1040bbee
AgentTesla
2598d8fe011595cd74778112ae8704ae239444808cd3dd5938f800f16d8ae1b0
AgentTesla
5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c
AgentTesla
88fefe74a59525eecee004f0ca10e3b964462adc1f3b44a794282e17dd3dd67e
AgentTesla
90dbd6dce0e0e7013656333f1cd8a9b7660e0e40e782a622856800c52e980d3e
AgentTesla
a39304a39ad9b9427b000045f7f5c60ed7790fe1a79d604ba9379bb94c0da593
AgentTesla
aea8b826c919840c0757bde7e31b915fda0439bd28b10418479aa17c53f91e12
AgentTesla
e178d0ed3b308beca605b9b5f71fd420bb438dc2c12e37523982982d57df22a3
AgentTesla
e598d09eb75436c41fd667d85213895ce5dd4903474c5bc38a797e725a75d2e3
AgentTesla
+ 200 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210113-8gknygtykx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b
MD5 hash:
8bdf3d3cb7c7680df5b8d6385dc5db82
SHA1 hash:
442eaa27d23dc72fd96c9d2d984068669afbeb5d
Link:
https://www.unpac.me/results/bcc6876f-487f-4f36-bfbe-4fda03ba9965/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 e4bb12f30e1ca0bf445b0486ab1edb043ad3cb1cc5dd07e4a95946b693de5e10

AgentTesla

Executable exe a3c564db9537f84073828e42af85c0558e763cb211e80bd4653e429ecb62ce8b

(this sample)

  
Dropped by
MD5 76a2c5bc066597b446c32dd6d031ce3d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e4bb12f30e1ca0bf445b0486ab1edb043ad3cb1cc5dd07e4a95946b693de5e10
Cape
Cape
https://www.capesandbox.com/analysis/111852/

Comments