MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb21a5f1607c110559ca73cc8106f61313687e304b3c609b718580f647345fcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	bb21a5f1607c110559ca73cc8106f61313687e304b3c609b718580f647345fcc
SHA3-384 hash:	7517ac736b18ae9773bca715d2e3360ccc5a74ff8839777feee2f1157274272deabf8e741a5e333bffd67e6c95e266f7
SHA1 hash:	177195fd733f422a7feefbd45f55be37425104be
MD5 hash:	a67f233c5de09c722a32b721738b5c36
humanhash:	single-foxtrot-river-illinois
File name:	Halkbank_02829378744_9299_2837291739471173.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	734'208 bytes
First seen:	2020-11-19 00:40:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d1ac88a064c1f440665011c239216056 (3 x AgentTesla, 1 x Formbook, 1 x AsyncRAT)
ssdeep	12288:NOCWYFagi9b3nBCe6ayKrgpA7Q45SaDQKsO4eP7/6YJ/Z3vD4qFsbw8:NOClrKbyu64YakReGeBvtFF8
Threatray	1'383 similar samples on MalwareBazaar
TLSH	10F401387A80C037C21A25705AF1D3BDAA7874756B6886C3BB955FBD1F203FA6631247
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Temonde-6571898-0

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Unauthorized injection to a recently created process

Creating a window

Launching a process

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/541976

Signature

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb21a5f1607c110559ca73cc8106f61313687e304b3c609b718580f647345fcc/

Threat name:

Win32.Infostealer.Stelega

Status:

Malicious

First seen:

2020-11-18 09:46:57 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xmq2l4lapqiqkwokopgicbxwcmjwq7rqjm6gbg3rqwapmrzul7ga._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3b02adbda158a35f586aa1f17780dc8d5cd0404c864a16b8c6b5a8f2b02363f9

AgentTesla

63df3bb5a21f79eab527fcb4a5e196ab77b6a7e6d898edcf3e8db0a87f45ef08

AgentTesla

8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f

AgentTesla

8c5377a5c2835e5f22f14477e0c6916257e9a034cf3a73eefd8068d64d4f4924

AgentTesla

a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0

AgentTesla

c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96

AgentTesla

c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec

AgentTesla

ec5f9f7e91d92d5676b928f6b88f3d7e429b948811eb5c8358f36cffe67a97df

AgentTesla

f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61

AgentTesla

+ 1'373 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201119-m4qkdmbpha/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

61df7136313828769b01f91b5f1758f98707aae8118d01fadce95bb0792aa41e

MD5 hash:

685b4136be0533c19514cfa273f35da0

SHA1 hash:

0c74e63b9ae079d81eb84c7c7fdba1b8e401517d

Link:

https://www.unpac.me/results/f26bb495-61e0-4873-8e4a-1a6fa0a071cd/

SH256 hash:

2187ec8c196343a0f776af992de4713aeca90dac3efdc85f40085bec0c5051c3

MD5 hash:

54d07050a36fd2fd0b2e0cdbfcc38221

SHA1 hash:

aadbaf3bb1f753b66f5cc07e770caa43bc1969e5

Link:

https://www.unpac.me/results/f26bb495-61e0-4873-8e4a-1a6fa0a071cd/

SH256 hash:

bb21a5f1607c110559ca73cc8106f61313687e304b3c609b718580f647345fcc

MD5 hash:

a67f233c5de09c722a32b721738b5c36

SHA1 hash:

177195fd733f422a7feefbd45f55be37425104be

Link:

https://www.unpac.me/results/f26bb495-61e0-4873-8e4a-1a6fa0a071cd/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.