MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbb9ba65aab3b8469769a5c442bc0f28b0ff6fe4a8f64bad2f15fee855575bcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbb9ba65aab3b8469769a5c442bc0f28b0ff6fe4a8f64bad2f15fee855575bcc
SHA3-384 hash: 6bcbd26fcdba68eb311550fd170e979e9bb677c29b80bad649671c1ddca9a36dc0c9bf088b13f77c8e70d28e87e55ff8
SHA1 hash: a977b17bfb91f85d1380a5e3a0e439f305631e1c
MD5 hash: 47896b1e81b651fe86e44d4f2cea8265
humanhash: harry-fish-london-river
File name:220009022.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:405'386 bytes
First seen:2021-07-09 07:34:22 UTC
Last seen:2021-07-09 08:55:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 6144:6Mm4CC0JdAJEBH01jnPHPSuC70US/rDdugMfje4k:6MwzJ5lovSnINuFL1k
Threatray 6'515 similar samples on MalwareBazaar
TLSH T18B84C3C72FE3553CF3EE48B108D462F35D5E9AF33520AD6BD012DA8A5D2406624DB29B
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
220009022.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-09 07:40:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/54152f21-332d-4b5f-b9c3-992c6e896671

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170621/
Detection(s):
SecuriteInfo.com.Trojan.Nsis.Spy.Gen.1.4772.23619.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/315b4c71-eee8-4528-8a8a-7221ccc0a9ea
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813882
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbb9ba65aab3b8469769a5c442bc0f28b0ff6fe4a8f64bad2f15fee855575bcc/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 06:41:15 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3o43uznkwo4enf3juxcefpapfcyp637evd3exljpcx7oqvkxlpga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0852b15e744cdecc36dbb299b48d12fc2233919a0eafac19a02b5a7c21277b7c
AgentTesla
113a77824329e62d8a2268075f4e8afa9756a9e134d46e87a61618d7b426b9af
AgentTesla
6b6a6cb45c75ffda98874ecb88f2fbc1ec1737222116967459117d6d8d36ecc9
AgentTesla
acc4f3dec5d471c28db29b9e7877fa419d157ebaa44b51039fbae33d6e33ca02
AgentTesla
b20b22803f7bbd0635b90f36886a89dd6be4622066f0bdbcecf1204d10b04870
AgentTesla
bc1428c41c8db13d1c0bc0b2f84c4d07e9e5ce8cf7224dc560d6bba3dba838fa
AgentTesla
bfdc55f5182638dff835b341613a95d335fea510ad5c322d51e6acaf30cba6cb
AgentTesla
c42183aaf2368c13bddd363af982f2725e599581869f08f9041d6cd0c47cfe41
AgentTesla
e4649c6b74b9494074c6020ba5e73d1253ed1929146135f4e9dbc48da6ace470
AgentTesla
ef5bbee3204de76c05424d5b000743e94acadff8a67a97d95ff3bdb3496b3190
AgentTesla
+ 6'505 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210709-r4a3xw1pt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
abdf8f955302ee8fd46314a999887f028701dff252d4a2d541fe0e374e02b76e
MD5 hash:
819a46c5a558cd8e0f6704fa0246d634
SHA1 hash:
54cb830c7f7dad899e3cf6d00f12e7d1f2cacae3
Link:
https://www.unpac.me/results/fb0e4a48-b29d-4f32-b4cd-28b3bf015373/
SH256 hash:
eba0eb186a5b9041dc5095bf7e4e3baeeff06ce56f9977d59457348e3c6df3ab
MD5 hash:
9d5f26d4de630275f1f339162f89a1a0
SHA1 hash:
25036d4e46af1d7a7ebfd1fe72f48e3bb1fd3825
Link:
https://www.unpac.me/results/fb0e4a48-b29d-4f32-b4cd-28b3bf015373/
SH256 hash:
7f52175315692ecf8d1f60b33e47b5a53dd1304d1748c7701ec9b7a83a5529ba
MD5 hash:
ab1327bd4ba9ee2b831353725712e668
SHA1 hash:
bbc0354bb2afe133be168e74f88eb2fda1c7c869
Link:
https://www.unpac.me/results/fb0e4a48-b29d-4f32-b4cd-28b3bf015373/
SH256 hash:
dbb9ba65aab3b8469769a5c442bc0f28b0ff6fe4a8f64bad2f15fee855575bcc
MD5 hash:
47896b1e81b651fe86e44d4f2cea8265
SHA1 hash:
a977b17bfb91f85d1380a5e3a0e439f305631e1c
Link:
https://www.unpac.me/results/fb0e4a48-b29d-4f32-b4cd-28b3bf015373/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.82
Link:
https://yomi.yoroi.company/submissions/dbb9ba65aab3b8469769a5c442bc0f28b0ff6fe4a8f64bad2f15fee855575bcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe dbb9ba65aab3b8469769a5c442bc0f28b0ff6fe4a8f64bad2f15fee855575bcc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170621/

Comments