MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7
SHA3-384 hash: c568ff68acd08bdd09952c12a53d090db573523ac887111b955b653138ae78b6ad654745e6cba6ee46c15d7327627330
SHA1 hash: f153caa495b990aaa5cc797fbe837fdd4f438ade
MD5 hash: 68fde124b69e1b15a9584df468f0dbba
humanhash: ack-sink-saturn-twelve
File name:ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7
Download: download sample
Signature AgentTesla
Create hunting rule
File size:603'648 bytes
First seen:2023-08-08 13:15:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:EkysSRZvOA03cPnMqIejgzRpSD6UND5R6orT1uycr6JZIrfpz:M6kMIgiNND5ZrBuyckUfpz
Threatray 3'445 similar samples on MalwareBazaar
TLSH T1C1D4F1A9B1FA1B63D37983F6556426410B7432A77C27D93C1EDE20C9FA13F5019A8AC3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7
Verdict:
Malicious activity
Analysis date:
2023-08-08 13:18:07 UTC
Tags:
stealer agenttesla trojan
Link:
https://app.any.run/tasks/2cffab4f-1220-4daa-b245-373570200391

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441392/
Detection(s):
Win.Dropper.Formbook-10002429-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif formbook packed threat virus
Link:
https://www.filescan.io/uploads/64d24013a5c3e653be14d121/reports/f0f0c81d-ea20-4f49-baa2-bc51d0e1b77c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d46b7730-72ee-4b0b-97b8-4622fb60d24b
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287876
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1287876 Sample: NuUZG32o78.exe Startdate: 08/08/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 8 other signatures 2->72 7 NuUZG32o78.exe 7 2->7         started        11 aqkKvxhuAcx.exe 5 2->11         started        13 VzKCUwk.exe 2->13         started        15 VzKCUwk.exe 3 2->15         started        process3 file4 48 C:\Users\user\AppData\...\aqkKvxhuAcx.exe, PE32 7->48 dropped 50 C:\Users\user\AppData\Local\...\tmpBFFA.tmp, XML 7->50 dropped 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 7->86 88 Adds a directory exclusion to Windows Defender 7->88 17 NuUZG32o78.exe 2 10 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        90 Antivirus detection for dropped file 11->90 92 Multi AV Scanner detection for dropped file 11->92 94 Machine Learning detection for dropped file 11->94 26 aqkKvxhuAcx.exe 11->26         started        28 schtasks.exe 11->28         started        30 aqkKvxhuAcx.exe 11->30         started        96 Injects a PE file into a foreign processes 13->96 32 VzKCUwk.exe 13->32         started        34 schtasks.exe 13->34         started        signatures5 process6 dnsIp7 52 smtp.aabaag.com 17->52 64 2 other IPs or domains 17->64 44 C:\Users\user\AppData\Roaming\...\VzKCUwk.exe, PE32 17->44 dropped 46 C:\Users\user\...\VzKCUwk.exe:Zone.Identifier, ASCII 17->46 dropped 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->74 76 Tries to steal Mail credentials (via file / registry access) 17->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->78 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        54 208.91.198.143, 49711, 587 PUBLIC-DOMAIN-REGISTRYUS United States 26->54 56 208.91.199.225, 49710, 587 PUBLIC-DOMAIN-REGISTRYUS United States 26->56 58 smtp.aabaag.com 26->58 80 Installs a global keyboard hook 26->80 40 conhost.exe 28->40         started        60 208.91.199.224, 49708, 587 PUBLIC-DOMAIN-REGISTRYUS United States 32->60 62 smtp.aabaag.com 32->62 82 Tries to harvest and steal browser information (history, passwords, etc) 32->82 42 conhost.exe 34->42         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 08:37:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5o2zx3zbuz25rgqtahvyjffkdybkswamwvrngo27ghxjau5v6ptq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c
AgentTesla
4581026ca8972214b08a22a0b621d607997da7586b828e02bfab11a5ca5de33f
AgentTesla
82f5deb6c4fcc0e1024ce95e8723df267ebedbdccd94ec1e296e037fd59976f1
AgentTesla
ac34616497579756a7a7785ebbb39a75631272497dd7b2404ed00245741a3b5b
AgentTesla
baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e
AgentTesla
c6dcc5ea2ef3af8a214da77f1b3d14af29cc066fbcc952b291494ae321279edd
AgentTesla
d9672edbb45fefa3ca9a12a91c8d27727f3e5262c76cac9efbf67925d6d6fb78
AgentTesla
+ 3'435 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230808-qhsplaec8v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d3b762d695e982bc86ff1ca0c699d045da31ec1f8b8fe6ba442f47db9f5dd448
MD5 hash:
e5d28313f32abcdbd2645a7597c0928a
SHA1 hash:
d29828a86e69a4441ae4cee530b807e1e9e71fd6
Link:
https://www.unpac.me/results/9d5b48e4-c7db-416e-a90e-cdff90cdcdd3/
SH256 hash:
c4bf1186b49a79737681498cd762fcf25d0e466791ff7b4ed083bd302a42b446
MD5 hash:
8046c1d4832e5ac55d00f422606ac34d
SHA1 hash:
bc74a38db1aa5372f993fc541f5aa6d6e561d44d
Link:
https://www.unpac.me/results/9d5b48e4-c7db-416e-a90e-cdff90cdcdd3/
SH256 hash:
70283da7e77bf4a5298fd0a9a6d936ec3e61c161dbdd4c1cad252f3ec9da50cc
MD5 hash:
7a56c7db349e0cefdcccbec51e193ede
SHA1 hash:
46ba04e30017235209de2e9171ea73a358a5e61e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9d5b48e4-c7db-416e-a90e-cdff90cdcdd3/
Parent samples :
93bc8b052ab504548c2bd80aad36a2c4ebea09d06db56dbaedf16109da7daf5c
ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7
SH256 hash:
366e44603ee33939274f0eb42c38432b30c64b9b0cad85a47ef57480630fcb81
MD5 hash:
58acc5bcfdd91a737634404347076d22
SHA1 hash:
24a2f66374ac801cfe4d1304ab52b9585f33a8b1
Link:
https://www.unpac.me/results/9d5b48e4-c7db-416e-a90e-cdff90cdcdd3/
SH256 hash:
9d9de24b5feb6f92cf82c36b22ed7abc2427e9ba7a38abafd13d5e05ad8db255
MD5 hash:
0ab21029a9b7109ec9700275333dcaa6
SHA1 hash:
02c1a22cd86c10cc154cf21aa6c8c04a0c7b0bf5
Link:
https://www.unpac.me/results/9d5b48e4-c7db-416e-a90e-cdff90cdcdd3/
SH256 hash:
ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7
MD5 hash:
68fde124b69e1b15a9584df468f0dbba
SHA1 hash:
f153caa495b990aaa5cc797fbe837fdd4f438ade
Link:
https://www.unpac.me/results/9d5b48e4-c7db-416e-a90e-cdff90cdcdd3/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ebb59bef21a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebb59bef21a675d89a1301eb8494aa1e02a9580cb562d33b5f31ee9053b5f3e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441392/

Comments