MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aba6e7eb4829aa943ce897edb7d6a6c7f9c91c516098734799d646d195bbbabd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aba6e7eb4829aa943ce897edb7d6a6c7f9c91c516098734799d646d195bbbabd
SHA3-384 hash: c82eda70b8576d515fde7a734a34cc134089684c203cac2f0be4dc75c29664b7cd93deab80e36609af81dbc0b144e37b
SHA1 hash: 839baec319010dbbe2cd5d3e822def037c083940
MD5 hash: 8c29b3b5d7de4173ce340ff4c2dffe10
humanhash: hot-pennsylvania-pluto-washington
File name:SecuriteInfo.com.Variant.Bulz.272292.5728.2860
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'138'176 bytes
First seen:2020-12-18 09:59:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:FCtxxHlpnItCX+sUgMttuQjf4JBonwkPtbLjw:MPrpnmVXBPJU
Threatray 1'913 similar samples on MalwareBazaar
TLSH 31358D203AF96759F077ABB45AD46455D7FEF623B316D84E2C5002CB0A23B40DF92A36
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order.xls
Verdict:
Malicious activity
Analysis date:
2020-12-18 07:22:43 UTC
Tags:
macros loader
Link:
https://app.any.run/tasks/2d8b407f-30b1-4e9e-8cab-0813e3b1463f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108376/
Detection(s):
SecuriteInfo.com.Variant.Bulz.272292.5728.2860.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566199
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332183 Sample: SecuriteInfo.com.Variant.Bu... Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for dropped file 2->30 32 Sigma detected: Scheduled temp file as task from temp location 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 9 other signatures 2->36 7 SecuriteInfo.com.Variant.Bulz.272292.5728.exe 7 2->7         started        process3 file4 22 C:\Users\user\AppData\Roaming\JsJfbmH.exe, PE32 7->22 dropped 24 C:\Users\user\...\JsJfbmH.exe:Zone.Identifier, ASCII 7->24 dropped 26 C:\Users\user\AppData\Local\...\tmpE2C4.tmp, XML 7->26 dropped 28 SecuriteInfo.com.V...272292.5728.exe.log, ASCII 7->28 dropped 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->38 40 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->40 42 Injects a PE file into a foreign processes 7->42 11 SecuriteInfo.com.Variant.Bulz.272292.5728.exe 2 7->11         started        14 schtasks.exe 1 7->14         started        16 SecuriteInfo.com.Variant.Bulz.272292.5728.exe 7->16         started        18 SecuriteInfo.com.Variant.Bulz.272292.5728.exe 7->18         started        signatures5 process6 signatures7 44 Tries to steal Mail credentials (via file access) 11->44 46 Tries to harvest and steal browser information (history, passwords, etc) 11->46 48 Installs a global keyboard hook 11->48 20 conhost.exe 14->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aba6e7eb4829aa943ce897edb7d6a6c7f9c91c516098734799d646d195bbbabd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 07:47:51 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=votop22ifgvjiphis7w3pvvgy744shcrmcmhgr4z2zdndfn3xk6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d03382dc9f8a0cbe7657da9f41c7ae26073bcebb74094468acd7cf31e546829
AgentTesla
242045c07ffb6427b046939045d9312f3beaa954ef3ec60316247f7dfdfbca3e
AgentTesla
503c4213cf8547c3e4f31c34bd75960f9f2e2ba40a37ad7ca2e06e52229e44e5
AgentTesla
5827618e631faa0da77858e8849358e5f1e811c62986700aa1f33cf4e26ce516
AgentTesla
69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c
AgentTesla
91c38249ac49fe69a70d20e74b88c801c94fc63c1772f07e82e21fdcff268e8e
AgentTesla
b8d0f5a88fd8d100cc6dc0f63e31c14c9fda07be97422b0ee2355cb73c14bd97
AgentTesla
e5d8c5c382b01a400205b1477e89b12f9eea14fdf10c5e4d31640954910661b6
AgentTesla
e9bd86ab3129da3447a70bac66feb2f90f7829e5b4595cff15a31a45b1cf82f7
AgentTesla
f64ecad45aae27f037e819a6adfaeebbdf0f769690a46a89a29d4f0da22b6cd4
AgentTesla
+ 1'903 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201218-26vblvk3ms/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
aba6e7eb4829aa943ce897edb7d6a6c7f9c91c516098734799d646d195bbbabd
MD5 hash:
8c29b3b5d7de4173ce340ff4c2dffe10
SHA1 hash:
839baec319010dbbe2cd5d3e822def037c083940
Link:
https://www.unpac.me/results/bd64c53b-0bcc-4aaf-a433-9609082e03b2/
SH256 hash:
d2f3975f8ae0f587d9c122be6c54c5f5a18054781c711b22e163b00473fcb92b
MD5 hash:
cb49cf39fd3b60895cf76b0a006c1536
SHA1 hash:
1bcee275966b5767fed09e2f62f9585d3f8a3470
Link:
https://www.unpac.me/results/bd64c53b-0bcc-4aaf-a433-9609082e03b2/
SH256 hash:
63a681a5739224e2a8d2184aee0f2672d57a99b920dbd40de6decb78b961b588
MD5 hash:
fc6398e3e937efd3ec3b835312111b12
SHA1 hash:
1df5edc9d3e24de6032d3569db24c58f79f65476
Link:
https://www.unpac.me/results/bd64c53b-0bcc-4aaf-a433-9609082e03b2/
SH256 hash:
c6e80fa1bd419a6dfa13209f02c6e2986b433417ce26f37a9b76dc9b49b05f60
MD5 hash:
d4c3be42e3b086b45ee3e64100998ee7
SHA1 hash:
bbf37d7a36d12f0557d8f09e8cb013c489671c1a
Link:
https://www.unpac.me/results/bd64c53b-0bcc-4aaf-a433-9609082e03b2/
SH256 hash:
5abd37671043c1aa04843a3e4cd4b29954ea66b5ce11c3bef44abaf36452ad2d
MD5 hash:
c40194b6e0b18410dc4059bea234260e
SHA1 hash:
e573f107ca34157bdee67ada8897db680bc15dd1
Link:
https://www.unpac.me/results/bd64c53b-0bcc-4aaf-a433-9609082e03b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aba6e7eb4829aa943ce897edb7d6a6c7f9c91c516098734799d646d195bbbabd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe aba6e7eb4829aa943ce897edb7d6a6c7f9c91c516098734799d646d195bbbabd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/927475/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108376/

Comments