MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb05365a45080a0ee40aa03ac166b7d3f47d4f86bdd37427ba754be5aaee6aae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb05365a45080a0ee40aa03ac166b7d3f47d4f86bdd37427ba754be5aaee6aae
SHA3-384 hash: 261cb5b8b8135fb1cef5c4af6cb6de56905fbbd00d1966613e3bd816643ef77a1985f2fd8bdbe5af914c6dd12da41def
SHA1 hash: fe73bf73c15a4274917724969b39eedaac3dc54c
MD5 hash: e57f9a304c3b06d60f00007e6412978a
humanhash: snake-quiet-louisiana-triple
File name:e57f9a304c3b06d60f00007e6412978a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:665'600 bytes
First seen:2020-09-20 04:04:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cc67ee6a8640624dda256b3b953017e (5 x MassLogger, 2 x AgentTesla)
ssdeep 12288:6Qbhex2teM2Lfzpl6+fcZfcNp3nCoKza52MYSnbbOzhz:Xh1n2Ltlpm+x/K252MYSnvOR
Threatray 1'566 similar samples on MalwareBazaar
TLSH 88E4AF32E2E15533C1772A3DCC0B97749C2ABD533D28A8866BE4DD4C5F39681F929293
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/63835/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6912039-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.313289.1091.25005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470748
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 287812 Sample: pDkRV0Bz74.exe Startdate: 20/09/2020 Architecture: WINDOWS Score: 100 27 bh-58.webhostbox.net 2->27 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 .NET source code contains very large array initializations 2->45 7 pDkRV0Bz74.exe 2->7         started        10 endy.exe 2->10         started        12 endy.exe 2->12         started        signatures3 process4 signatures5 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->49 51 Maps a DLL or memory area into another process 7->51 53 Contains functionality to detect sleep reduction / modifications 7->53 14 pDkRV0Bz74.exe 2 7 7->14         started        55 Antivirus detection for dropped file 10->55 57 Multi AV Scanner detection for dropped file 10->57 59 Detected unpacking (changes PE section rights) 10->59 61 2 other signatures 10->61 19 endy.exe 4 10->19         started        21 endy.exe 4 12->21         started        process6 dnsIp7 29 bh-58.webhostbox.net 199.79.63.24, 49758, 49760, 49761 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 23 C:\Users\user\AppData\Local\Temp\...\endy.exe, PE32 14->23 dropped 25 C:\Users\user\...\endy.exe:Zone.Identifier, ASCII 14->25 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file access) 14->33 35 Tries to harvest and steal ftp login credentials 14->35 37 2 other signatures 14->37 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb05365a45080a0ee40aa03ac166b7d3f47d4f86bdd37427ba754be5aaee6aae/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 03:09:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mctmwsfbafa5zakua5mczvx2p2h2t4gxxjxij52ovf6lkxonkxa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1
AgentTesla
2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7
AgentTesla
37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b
AgentTesla
3a8afa181b83a479c7c476791061dd4a7df56a59e21bcb72f0c8a32d76b66d5b
AgentTesla
4d6a4c556af5a4e4a05ca5aadb976af1f792bb509cd17cf26aa2ca3081317e3c
AgentTesla
7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873
AgentTesla
a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd
AgentTesla
b562e8e268318a67795e451cb3f4658aaf8ac7698eaed3fc9efe939aff882bee
AgentTesla
b98ed6a71c93bc3722112643bea2bbe8767e016d807e0463266ee2fd47ad9e80
AgentTesla
c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd
AgentTesla
+ 1'556 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200920-1edkkg1g76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb05365a45080a0ee40aa03ac166b7d3f47d4f86bdd37427ba754be5aaee6aae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe eb05365a45080a0ee40aa03ac166b7d3f47d4f86bdd37427ba754be5aaee6aae

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/63835/
  
URLhaus
https://urlhaus.abuse.ch/url/460103/
  
Delivery method
Distributed via web download

Comments