MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c27155aba064aa455e563f7107232b9054480a144fcf7a95be062b38da27d7fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c27155aba064aa455e563f7107232b9054480a144fcf7a95be062b38da27d7fd
SHA3-384 hash: 66d8ddd17ffe94c1966dfa665ba72513913d518fa5dbb02daa6688cecb73d3116508ae36a3dfcb826b41c5bff261daa2
SHA1 hash: 1bb2d6e948e668af3f16c6153f52936ad62ef127
MD5 hash: 036094cfc483a7590c9d594bc0e05a3f
humanhash: iowa-tango-july-london
File name:EU.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:370'580 bytes
First seen:2021-03-25 10:13:47 UTC
Last seen:2021-03-25 12:09:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:QAPChSIkcqgZjan1ySTf6B+c1wxVO4iV9Ig997CmDLwY:GhSFS5kQS0K0B99NCmv1
Threatray 3'474 similar samples on MalwareBazaar
TLSH CF7402FF71834C97DA5E47790515E0389A66BE0916A1C1A1FB1A3FAF6D3A0E9850C383
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: djibril.all-kom.com.ar
Sending IP: 200.43.229.202
From: Ahmed Raza' <ahmed.raza@avs.com.pk>
Subject: Inquiry for Porta Cabin to House Pumping System
Attachment: p21-2222234333.zip (contains "EU.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EU.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 10:47:23 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3184c81e-fbad-49ae-b126-d5a07d737270

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Strictor.255909.11042.21511.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653722
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c27155aba064aa455e563f7107232b9054480a144fcf7a95be062b38da27d7fd/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 06:35:55 UTC
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjyvlk5amsvekxswh5yqoizlsbkeqcquj7hxvfn6ayvtrwrh276q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1eb70c33da7bd551957076bfeb9841fb48904bb9e75c205c3223248643ca05f7
AgentTesla
371793ef15c6e1d0b0ab0edf326d4ab60ba5ce8cf26676fcc1ebd6329a23e914
AgentTesla
451e9ec4050240af48536c6f5620741555304a2f5d0524c53a559711434a2de3
AgentTesla
5f7796b2f2382f8541c0aad659492a4d5b27ad874d92e1bf6f2ee6d864160269
AgentTesla
6272206fe704645cbed15d5edc47bf4c38e4ba591032e34b3b94d1e63aaa907b
AgentTesla
7c49ac4366eb07c5e5a146356908ba9e2e7e1bb2630422821f93530f0e2ec2ed
AgentTesla
7cb81f0c2e9c2a5a5d9df01d7dc2fb0025a7d0ce1f9be9e32d86c2dc172cd4ba
AgentTesla
a71930554d697f91b4ab6456faddbecfb15c1ebaac574db9ec735aa995dd10ac
AgentTesla
c37b36375c43623e1e11c9df83bc8b0a5fe77ca20851330d59fa491695a14437
AgentTesla
f87bef1ec7a4e68e8a9d2765a5fbfe2e0a66144a1efab71af82caad271654ee2
AgentTesla
+ 3'464 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210325-rb1k3arccs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
cc42b096291283db89e49fd0e43dc1dccdd2b64ebb09a2f82d17a954010cb9d7
MD5 hash:
8f5859d42d84cc48f50569abcf9d5bfb
SHA1 hash:
6b3989bd6b2ea12d3e96ea1d47966b68f80d36d5
Link:
https://www.unpac.me/results/320d2449-0bb2-4d50-91a6-3c3c50d9588d/
SH256 hash:
c6906191fd93ff2f40ba8bca895653194a4d93346ed63f048571ffdbe830aaba
MD5 hash:
98daafbb3d4b8db66295eb48f9c37153
SHA1 hash:
c1ea09249c977f3d616c3d31833bb305688c5eb3
Link:
https://www.unpac.me/results/320d2449-0bb2-4d50-91a6-3c3c50d9588d/
SH256 hash:
c27155aba064aa455e563f7107232b9054480a144fcf7a95be062b38da27d7fd
MD5 hash:
036094cfc483a7590c9d594bc0e05a3f
SHA1 hash:
1bb2d6e948e668af3f16c6153f52936ad62ef127
Link:
https://www.unpac.me/results/320d2449-0bb2-4d50-91a6-3c3c50d9588d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/c27155aba064aa455e563f7107232b9054480a144fcf7a95be062b38da27d7fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 289947a3f3cb293dde3e7365632bd2c6c5b29183b17835114b2a3ef9ad6e8e31

AgentTesla

Executable exe c27155aba064aa455e563f7107232b9054480a144fcf7a95be062b38da27d7fd

(this sample)

  
Dropped by
MD5 cef64dbab80573128d00d44f4541dc5f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 289947a3f3cb293dde3e7365632bd2c6c5b29183b17835114b2a3ef9ad6e8e31

Comments