MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaff959136dcb8dbb2db3429ac0ed3efe5263d99abacd5bbb05ba0f36495683c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaff959136dcb8dbb2db3429ac0ed3efe5263d99abacd5bbb05ba0f36495683c
SHA3-384 hash: a511882c164c94b76c2cd809b8444a025eb58dbd290a006fed5d570a3b040722754e41c40db0de5c9d36bd0bb71bc6c2
SHA1 hash: 4b6acb5995cdef60998ce98d1b1a65dff3152327
MD5 hash: 33781d32bd85d61f542cb3167631fb39
humanhash: neptune-vegan-autumn-butter
File name:33781d32bd85d61f542cb3167631fb39.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:996'352 bytes
First seen:2021-01-20 14:21:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:BZ1stW6zQvXjztivN/ue5z3IZtXKt9Koi6fLlcyypHjO08e4D7ZZn3bv1/Y9p/H7:I3+2jJpm4D1hrv1AnPnibs6xOI6pZfJ
Threatray 14 similar samples on MalwareBazaar
TLSH F925380427AD8F54F2FA9BF802639A4093F72D0A921BD64D5C823DF6367DB83094579B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.naijajob.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
33781d32bd85d61f542cb3167631fb39.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 15:01:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aec8ede6-3f3b-4853-aeb9-d0fa0389cafb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113106/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for files in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/586197
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342129 Sample: Cp8GBuTbdh.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 58 mail.naijajob.net 2->58 60 nagano-19599.herokussl.com 2->60 62 2 other IPs or domains 2->62 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Found malware configuration 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 10 other signatures 2->72 8 Cp8GBuTbdh.exe 6 2->8         started        12 vmhqWYS.exe 5 2->12         started        14 vmhqWYS.exe 2->14         started        signatures3 process4 dnsIp5 44 C:\Users\user\AppData\Roaming\UnffYKzTd.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmpC2F8.tmp, XML 8->46 dropped 48 C:\Users\user\AppData\...\Cp8GBuTbdh.exe.log, ASCII 8->48 dropped 82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->84 86 Contains functionality to register a low level keyboard hook 8->86 17 Cp8GBuTbdh.exe 17 5 8->17         started        22 schtasks.exe 1 8->22         started        24 Cp8GBuTbdh.exe 8->24         started        88 Multi AV Scanner detection for dropped file 12->88 90 Machine Learning detection for dropped file 12->90 92 Injects a PE file into a foreign processes 12->92 26 vmhqWYS.exe 14 2 12->26         started        28 schtasks.exe 1 12->28         started        64 192.168.2.1 unknown unknown 14->64 30 schtasks.exe 14->30         started        32 vmhqWYS.exe 14->32         started        file6 signatures7 process8 dnsIp9 50 mail.naijajob.net 162.0.232.208, 49742, 49745, 49746 NAMECHEAP-NETUS Canada 17->50 40 C:\Users\user\AppData\Local\...\vmhqWYS.exe, PE32 17->40 dropped 42 C:\Users\user\...\vmhqWYS.exe:Zone.Identifier, ASCII 17->42 dropped 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->74 76 Tries to steal Mail credentials (via file access) 17->76 78 Tries to harvest and steal ftp login credentials 17->78 80 3 other signatures 17->80 34 conhost.exe 22->34         started        52 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.242.59, 443, 49743 AMAZON-AESUS United States 26->52 54 nagano-19599.herokussl.com 26->54 56 api.ipify.org 26->56 36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        file10 signatures11 process12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eaff959136dcb8dbb2db3429ac0ed3efe5263d99abacd5bbb05ba0f36495683c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 07:52:19 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5l7zlejw3s4nxmw3gqu2ydwt57ssmpmzvownlo5qloqpgzevna6a._file
Verdict:
unknown
Similar samples:
03d24a095ae2fbaf26f5535638ff731fd3eb89f2767359ef1df108bdfde5359d
AgentTesla
182fd1343975d43f456f199f379210d562d15ea3c8e4c7bd59899d75c18a2fe9
AgentTesla
1b3b96f5df6130cfcce5b33646e344a55ba42390bd382eff6e2c9c0e87c61e47
AgentTesla
3013607bfee8bcca1767c2a33cea94602e3c97baba31f96fc8a08014cf2576b4
AgentTesla
3dd4c0a246882a35140b2476292a4070038e90755d0f9d9da65daa06a99880f8
AgentTesla
7f7afb406c8f911f21354b2ea60fd688ce8083ed0ab10156c6f3421d927d2fab
AgentTesla
8893a5c23f09b252b052cfafadce1065e5934c1f2877a4a11e98467faee05340
AgentTesla
8fe13da45a5732ae42c27687b9cf9105a3f2028857729bdfbe3ae31514a6b298
AgentTesla
c88032e143d99f2df5aeee4fa79c1290f6dae068d4b254053bc33a6b3dc53a7f
AgentTesla
cc26bac0f47c7d3853f301243a6cca755b3eebd571133ddbb247998caa8d8682
AgentTesla
+ 4 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210120-px9wyx8p3n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d50631bbc912f48210d395b15e0d00a15221b98a0cf6a8016f3c9c7b7917c928
MD5 hash:
328dfa55c7fd89131794f1d10b597b47
SHA1 hash:
2b2989f368be67af656cd322316e3386d6301ff2
Link:
https://www.unpac.me/results/8f601f2f-20d9-4df0-8c90-e9e517d4b48e/
SH256 hash:
c9dd75344692d3f451b55a29c47a73599688b42cba89a568fd43a5dee149885f
MD5 hash:
75e18be908cc0fb4b8a8ceba1d456279
SHA1 hash:
31b6f876576e7e16e0244ae0374ff07698e1f9ef
Link:
https://www.unpac.me/results/8f601f2f-20d9-4df0-8c90-e9e517d4b48e/
SH256 hash:
36528021c27db363548c7cd739cdc28cdf6099822431c127e4aad5e7d432317f
MD5 hash:
8c72bac6b6e004c98cf11b83b87009cf
SHA1 hash:
42cd56290a9c7e2c362e72fa14306eb78e6fa614
Link:
https://www.unpac.me/results/8f601f2f-20d9-4df0-8c90-e9e517d4b48e/
SH256 hash:
eaff959136dcb8dbb2db3429ac0ed3efe5263d99abacd5bbb05ba0f36495683c
MD5 hash:
33781d32bd85d61f542cb3167631fb39
SHA1 hash:
4b6acb5995cdef60998ce98d1b1a65dff3152327
Link:
https://www.unpac.me/results/8f601f2f-20d9-4df0-8c90-e9e517d4b48e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaff959136dcb8dbb2db3429ac0ed3efe5263d99abacd5bbb05ba0f36495683c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe eaff959136dcb8dbb2db3429ac0ed3efe5263d99abacd5bbb05ba0f36495683c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/972074/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113106/

Comments