MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bccddc3e17f9665312a69e3d858d7fd5fc07f5c77d063ec41f3a835cf870df0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 1 File information 3 Yara 3 Comments

SHA256 hash: bccddc3e17f9665312a69e3d858d7fd5fc07f5c77d063ec41f3a835cf870df0c
SHA1 hash: 6c6c147f2b2193335e8d5ff0571b77171542b14b
MD5 hash: 3006764b5cefd79ff9ce26a76d2a5ac2
File name:Halkbank_Ekstre_20200522_080247_232393.pdf.exe
Download: download sample
Signature AgentTesla
File size:1'480'704 bytes
First seen:2020-05-22 13:54:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091
ssdeep 24576:Ztb20pkaCqT5TBWgNQ7aGFviVoikZdKpl1TH1/3SM+36A:qVg5tQ7aGliVZR/51vFE5
TLSH 1B65E01363DE8361C7B25273BA15B741AEBF7C2506B1F96B2FD4093DF920122521EA63
Reporter @abuse_ch
Tags:AgentTesla exe geo Halkbank TUR

Malspam distributing AgentTesla:

Sending IP:
Subject: T.HALK BANKASI A.Ş. 21.05.2020 Hesap Ekstresi
Attachment: Halkbank_Ekstre_20200522_080247_232393.pdf.r00 (contains "Halkbank_Ekstre_20200522_080247_232393.pdf.exe")

AgentTesla SMTP exfil server:


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 30
Origin country FR FR
ClamAV Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
VirusTotal:Virustotal results 30.43%

Yara Signatures

Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Rule name:win_agent_tesla_w1
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe bccddc3e17f9665312a69e3d858d7fd5fc07f5c77d063ec41f3a835cf870df0c

(this sample)

Delivery method
Distributed via e-mail attachment