MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb008ba066b894222717bc03df94f04541b98920f68c85a07277465dfd8afad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb008ba066b894222717bc03df94f04541b98920f68c85a07277465dfd8afad5
SHA3-384 hash: 21a7887851318ab15b3aa2c1bbcc3e16dbe939f6d149fc9ac9c9abd49afb14a9175ad201f00337ff042c39c04fbecaed
SHA1 hash: f29366260138af4bafafc2d1006dd15fd8dd5384
MD5 hash: 92b31af297584fdea285036b968dd849
humanhash: oscar-kilo-autumn-fish
File name:PO.no.12.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:961'024 bytes
First seen:2020-11-18 12:51:37 UTC
Last seen:2020-11-18 14:52:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5113dec31b8616dbad783836e7188783 (11 x AgentTesla, 2 x HawkEye, 2 x Loki)
ssdeep 12288:Il1aMljBMKnw6WJoGPb5FUoRAVyImHlawsI4KF6bZiFf5dU82zx58L8ga8gR:WJCKxWfPNFwyIUlawuzlizKLR
Threatray 10'019 similar samples on MalwareBazaar
TLSH 4115BF23E2A15873C01316388CCF5BB8AD2EBED0291B79A72BF51D48DF3D6817916197
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.kestrisolution.in
Sending IP: 139.59.88.44
From: quality@magsonind.in
Subject: PO.no.12 (stock Order)
Attachment: PO.no.12.rar (contains "PO.no.12.exe")

AgentTesla SMTP exfil server:
mail.tejengineering.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541052
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb008ba066b894222717bc03df94f04541b98920f68c85a07277465dfd8afad5/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 10:35:18 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5maixidgxckcejyxxqb57fhqiva3tcja62gilidso5df37mk7lkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
AgentTesla
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
AgentTesla
7b87995c3121e530fa11c32b58690f875c58f5dec133c5cb57c22fdf4ee237bb
AgentTesla
b2ec3cbaca68c03cabfbd50b7b94908971b26a52e5eacd80d499844944929c1b
AgentTesla
b61fd6fa3079321e5231c3bdea1d4894b2de3fb8a8e38c2cb2c3d4754a7da86d
AgentTesla
bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
AgentTesla
c6d32cce563241de2f9137ed8a1812a2413cbed6f84d4d6870202fa0fcd1e01e
AgentTesla
deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867
AgentTesla
f114260deddc0c7ea49c9a76fca65890679874e9d295c0015d6de8f736fb8c5e
AgentTesla
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
AgentTesla
+ 10'009 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201118-tdftd63elj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
eb008ba066b894222717bc03df94f04541b98920f68c85a07277465dfd8afad5
MD5 hash:
92b31af297584fdea285036b968dd849
SHA1 hash:
f29366260138af4bafafc2d1006dd15fd8dd5384
Link:
https://www.unpac.me/results/21c9b499-46bb-4084-bac8-350cba52ca21/
SH256 hash:
a50e7a861df0a05a72a6244e421157bd6247ceec725b6270d90fd06a1c364083
MD5 hash:
98417134cb9c5e02a899d224f2b8327e
SHA1 hash:
fb7b069e05e474902abeb2610461f65636dd9132
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/21c9b499-46bb-4084-bac8-350cba52ca21/
SH256 hash:
d72b1e5d871c441e789ff2c0f84cb8b954c7a666a8bf59c91943935cc60e89f8
MD5 hash:
1340d45effafc0cc279e1d71672c262f
SHA1 hash:
0ecaa885a7150bb048e05cd88deead926843c602
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/21c9b499-46bb-4084-bac8-350cba52ca21/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 5ed409caf0258956064621c2f1fad3287f3259eb8d4a9ac1e9d3a53c45fc66e9

AgentTesla

Executable exe eb008ba066b894222717bc03df94f04541b98920f68c85a07277465dfd8afad5

(this sample)

  
Dropped by
MD5 2a6d9faae658bbe16ba0d7107c3299a1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5ed409caf0258956064621c2f1fad3287f3259eb8d4a9ac1e9d3a53c45fc66e9

Comments