MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb80388ea4df988a288c2d06274aee2b2db7f2e645ce83ad67980624708fbbd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	bb80388ea4df988a288c2d06274aee2b2db7f2e645ce83ad67980624708fbbd7
SHA3-384 hash:	842be02afcc58241c1e1a4199bf91776be92cf7b5fa82ca0b7b4a1e84038898ec788287439ff0310f09e8fa7e4d3f2c2
SHA1 hash:	fef9af0ee0d6c7faae895a17a6bf4304118ddfa8
MD5 hash:	c09bcf5ff3406113ae3a912713a42e1b
humanhash:	two-coffee-comet-foxtrot
File name:	Parking List.pdf...exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'187'840 bytes
First seen:	2020-10-16 13:39:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:RW1fhdh6/hZQXegrf8pGHzfEWDgzUlDrum7BsvKaP7r9r/+ppppppppppppppppF:RW1fh8hsPEMYWcUlXum74Ka1q
Threatray	587 similar samples on MalwareBazaar
TLSH	09456985EA144E57CCDF5BB40A36C834F2363E995838DA0D29CD3D9B3BB639122D2D46
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.fpcci.org.pk
Sending IP: 124.29.202.181
From: Sales <sales@bertschi.com>
Subject: RE: Invoice & Packing List
Attachment: Parking List.pdf...zip (contains "Parking List.pdf...exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/72055/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/493724

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb80388ea4df988a288c2d06274aee2b2db7f2e645ce83ad67980624708fbbd7/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-10-16 13:41:06 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xoadrdve36miukemfudcosxofmw3p4xgixhihllhtadci4epxplq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2f02f87bd00996719cd97c827f1bd4578033a03d7e3884ec18ec0eca32cee516

AgentTesla

33173729b4041cb76f237254201f440babcde775bfa912329d0ebe4b5b8a97e2

AgentTesla

76e9f23704658774f7a6e20425ab60b0575ba40ab95b5ec670b5601a7c3ccb19

AgentTesla

8899a90e9da2a5de4afe8ba47e95750e95ec17ede7c31557d7a28243b9756364

AgentTesla

8f1df804a5fc826de1487d95db7e15faede754cd925132f7e920fd712e154208

AgentTesla

98f16bf7fd0d32ebf300230c3992712556f0bebc91678c4a6da74f7a900be68b

AgentTesla

bae353be3d64c66c76ca33280e436b02460497265e503b772db81c2e84971cba

AgentTesla

f010bc0295db81514c87fde7298f3425670ae67f4f24a21f20232a10eb644907

AgentTesla

f924ed04e2ce70872e8e341379288a15579ade521df2e4d248054fe2d9357ee2

AgentTesla

+ 577 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201016-1xwb9tkbba/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

8325814c5edbe16c76dd02942dd4f83cef3d8026e4f48c6e6006fdb56dfcea6d

MD5 hash:

d990e0f465906344b42a58d557429a98

SHA1 hash:

16e93769d63ecc76d68b19caf8660e7dd6213fb9

Link:

https://www.unpac.me/results/f582a938-ae77-4d52-89f1-bd41cb6f354b/

SH256 hash:

f0fc14b5c2b209f6f919b3b15387657b0453fca69fedfa28d241a6c843011b2f

MD5 hash:

5ffb5743c59df2bd39c2052267a5c376

SHA1 hash:

73ef8a92316d7979fc641a89856e5771893b2108

Link:

https://www.unpac.me/results/f582a938-ae77-4d52-89f1-bd41cb6f354b/

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/f582a938-ae77-4d52-89f1-bd41cb6f354b/

SH256 hash:

bb80388ea4df988a288c2d06274aee2b2db7f2e645ce83ad67980624708fbbd7

MD5 hash:

c09bcf5ff3406113ae3a912713a42e1b

SHA1 hash:

fef9af0ee0d6c7faae895a17a6bf4304118ddfa8

Link:

https://www.unpac.me/results/f582a938-ae77-4d52-89f1-bd41cb6f354b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bb80388ea4df988a288c2d06274aee2b2db7f2e645ce83ad67980624708fbbd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.