MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b880aa0040b5f386b895c23af6b05c18473eb9db95ec3942e713fc454c6f4cef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b880aa0040b5f386b895c23af6b05c18473eb9db95ec3942e713fc454c6f4cef
SHA3-384 hash: 52972d330bd78c43c2e2b6c0ac55b547712a31d9af90351fee55ca5e61ca88ddec31965d6c004f294449e88cc6dfa290
SHA1 hash: b3beb8d9f14cd3d89fbc17b4a702d2d54e5194aa
MD5 hash: fd805f6b86289e0f4c35c38f1ea352f9
humanhash: batman-sweet-bluebird-sodium
File name:payment in euro.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:46'928 bytes
First seen:2020-10-14 15:22:59 UTC
Last seen:2020-10-14 15:57:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 768:9YHCr7tIk1nfX+JIn+uMpPPuvVjgMym23hOAEUf2hq:MwxIAn/H6Mym23NEUfr
Threatray 4 similar samples on MalwareBazaar
TLSH 38232E5C66CBCE23DA35283814E780E561F43663D834E66C6FDADED4B6F02082B16D5B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gmail.com
Sending IP: 185.222.57.73
From: info@b-account.com
Subject: FW:payment in euro
Attachment: payment in euro.exe

AgentTesla SMTP exfil server:
mail.albaniandailynews.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70893/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.5536.16490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a TCP request to an infection source
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491322
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298218 Sample: payment in euro.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 57 pastebin.com 2->57 59 hastebin.com 2->59 69 Antivirus detection for dropped file 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 10 other signatures 2->75 8 payment in euro.exe 24 6 2->8         started        13 payment in euro.exe 2->13         started        15 payment in euro.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 61 pastebin.com 104.23.99.190, 443, 49743 CLOUDFLARENETUS United States 8->61 63 hastebin.com 104.24.126.89, 443, 49734, 49747 CLOUDFLARENETUS United States 8->63 53 C:\Users\user\AppData\...\payment in euro.exe, PE32 8->53 dropped 55 C:\...\payment in euro.exe:Zone.Identifier, ASCII 8->55 dropped 77 Creates an undocumented autostart registry key 8->77 79 Creates autostart registry keys with suspicious names 8->79 81 Creates multiple autostart registry keys 8->81 83 2 other signatures 8->83 19 powershell.exe 25 8->19         started        21 powershell.exe 24 8->21         started        23 powershell.exe 24 8->23         started        33 4 other processes 8->33 65 172.67.143.180, 443, 49744, 49749 CLOUDFLARENETUS United States 13->65 25 timeout.exe 13->25         started        27 timeout.exe 15->27         started        67 192.168.2.1 unknown unknown 17->67 29 timeout.exe 17->29         started        31 timeout.exe 17->31         started        file6 signatures7 process8 process9 35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b880aa0040b5f386b895c23af6b05c18473eb9db95ec3942e713fc454c6f4cef/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Suspicious
First seen:
2020-10-14 06:37:54 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcakuacawxzynoevyi5pnmc4dbdt5oo3sxwdsqxhcp6ektdpjtxq._file
Verdict:
unknown
Similar samples:
2bf089ca557a9f45614b8c69d1e99c2865ccce16d5623d43f058421ddd16e3e4
AgentTesla
62a3f96dbc53b59dc32cac8f2627992d4152cbd6735e488c4ae86f089dc97aa8
AgentTesla
b14a843c73a4020a9564492611f8a028ad6437d38e71624ba41f597122933ca4
AgentTesla
c1fa48c0b9c81541dc2ba39db3fc1c410f6231e8df9aa69c02bdd1c8549b453a
AgentTesla
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201014-912zvxfh7s/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
b880aa0040b5f386b895c23af6b05c18473eb9db95ec3942e713fc454c6f4cef
MD5 hash:
fd805f6b86289e0f4c35c38f1ea352f9
SHA1 hash:
b3beb8d9f14cd3d89fbc17b4a702d2d54e5194aa
Link:
https://www.unpac.me/results/40e90db3-479d-4d72-84ab-8b2ef7c60e25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b880aa0040b5f386b895c23af6b05c18473eb9db95ec3942e713fc454c6f4cef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b880aa0040b5f386b895c23af6b05c18473eb9db95ec3942e713fc454c6f4cef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70893/

Comments