MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2433dbd7a76e652575d56f53a9ec74e403a66076351b0494ed74f5f2518af2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2433dbd7a76e652575d56f53a9ec74e403a66076351b0494ed74f5f2518af2c
SHA3-384 hash: 2cd578b2f7d9de16ed37835c546251f9180957ee09ae0446615f93449baa1dd912af81da9792140fca1eaf2054976f4b
SHA1 hash: 4cc883ae7dcca87e7ff7ac3e9dc3e4b172f2c1ed
MD5 hash: 7dfe41edd8e59f735febd6434f2c8b1c
humanhash: oven-mars-spaghetti-earth
File name:bbva confirming Aviso de pago EUR5780020210104.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:616'960 bytes
First seen:2021-01-04 13:15:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:adaNisKbO9MPuBj1/MKI3WmOnKcR+z72s5B/xD:zN2qKud1VImdnKcy7Lp
Threatray 2'059 similar samples on MalwareBazaar
TLSH E4D4AD2933A86B66E1BE677981306101C7F1B887D329D23EBDE4D0DE5AB1F414A71336
Reporter abuse_ch
Tags:AgentTesla BBVA ESP exe geo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail1.dsdiagram.es
Sending IP: 34.242.44.21
From: BBVA Confirming <Confirming.bbvaf@bbva.com>
Subject: BBVA Confirming - Aviso de pago
Attachment: Notificacion de transferencia de pago ES5720210104.pdf.lzh (contains "bbva confirming Aviso de pago EUR5780020210104.exe")

AgentTesla SMTP exfil server:
mail.insergejk.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbva confirming Aviso de pago EUR5780020210104.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-04 13:18:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/022af40a-cefe-4e9e-a360-439697ff0f0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110389/
Detection(s):
SecuriteInfo.com.Backdoor.MSIL.REMCOS.513b3e48.17048.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573350
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2433dbd7a76e652575d56f53a9ec74e403a66076351b0494ed74f5f2518af2c/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jbt3pl2o3tfev25k32tvhwhjzaduzqhmni3asko25hv6jiyv4wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ba0cfe605b7b1f5b3d528da4345630f504581be60dd5b73b232118a6aa37c43
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232
AgentTesla
73124a960239d7be8aa1718bee96dccb2714b983a9a7ecf208fd21d2e18da782
AgentTesla
956741cfb963a29651abae4b0bee9185ad7688cdc0f97f2336c891daab84976e
AgentTesla
b28a86d010b9e52bf00698dbef0d9daeaccc4c67ae772d83bead4541d2feed7b
AgentTesla
cd0eafd35e2ca61e958567193cec0bf687853f15ba30b21ac01447e84305e556
AgentTesla
e01ebcaeb9a4d013354443b10df0a2280861bb290e7c88bc32055dbfbfaa2065
AgentTesla
ede0c266836e85d1ac3bc623377fda09bb0135a9746a0ecde6d7c52c7eddfc24
AgentTesla
f0cc41f0a0ef330ace0f27bc22fc662d9bc5ddba3955f48ba6199bab268a59da
AgentTesla
+ 2'049 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210104-de4k2xmxge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d2433dbd7a76e652575d56f53a9ec74e403a66076351b0494ed74f5f2518af2c
MD5 hash:
7dfe41edd8e59f735febd6434f2c8b1c
SHA1 hash:
4cc883ae7dcca87e7ff7ac3e9dc3e4b172f2c1ed
Link:
https://www.unpac.me/results/e7a7615a-0b35-45d6-b680-818b1f67000a/
SH256 hash:
fcd184f0d870fdc2853305f2800d04f70edccb1dae255516837774049eadb294
MD5 hash:
72bafb9a9bfc87e0e0f0883c01357d99
SHA1 hash:
23d8a53accdc79e6786328e4914c08fb778c4f7e
Link:
https://www.unpac.me/results/e7a7615a-0b35-45d6-b680-818b1f67000a/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/e7a7615a-0b35-45d6-b680-818b1f67000a/
SH256 hash:
68f70a6168bb769b9bb51fffaf3e4279ea8139d0646344cced788498f8f0d5a2
MD5 hash:
7af251aa56116c83d60eab06a43fb908
SHA1 hash:
493437442b51960b3a3e5c41215df87893f24c54
Link:
https://www.unpac.me/results/e7a7615a-0b35-45d6-b680-818b1f67000a/
SH256 hash:
5dfc00ca20f0231c7c6a1321718d566adcbe3bddd9c14eaf89683f22304d3d02
MD5 hash:
dde00fe3a7bdc0e492dd48a4b9860431
SHA1 hash:
68f07c29551226720f6335291f8d368129c254df
Link:
https://www.unpac.me/results/e7a7615a-0b35-45d6-b680-818b1f67000a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2433dbd7a76e652575d56f53a9ec74e403a66076351b0494ed74f5f2518af2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c959c03dc6bc0f60ce4e784220b4b602ad6523c5ab03e5a7fd67e0f3e6ee3d72

AgentTesla

Executable exe d2433dbd7a76e652575d56f53a9ec74e403a66076351b0494ed74f5f2518af2c

(this sample)

  
Dropped by
MD5 d080f7ff8d278c2458a8e6208a089dc0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110389/
  
Dropped by
SHA256 c959c03dc6bc0f60ce4e784220b4b602ad6523c5ab03e5a7fd67e0f3e6ee3d72

Comments