MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeba7537e3916a6c6d52340f648f970c4ad8369052fbc235b5ce4e3f166c9aae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	eeba7537e3916a6c6d52340f648f970c4ad8369052fbc235b5ce4e3f166c9aae
SHA3-384 hash:	9bd2ad9b2ef2e3f826c57eee4db7113f228ad8a873ca4d4e34a66c86fad9c1e524f2c478a28751a8d7b4488f605aaf0f
SHA1 hash:	9cf3ed0d69b5dbe38266d80a6c2ef5c33a02da6b
MD5 hash:	da503a926b278a7fa77a3724e656fd70
humanhash:	illinois-lactose-jig-fillet
File name:	da503a926b278a7fa77a3724e656fd70.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	501'248 bytes
First seen:	2020-10-05 11:11:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:pqRJbk/2GDTSEQod1ayATGBOZBWaCCobX+6SaD3Y7biwdW6iGk0f/vvbWxzx+Czo:pqRKayAqgjC9jmxVf/bQzx+C1PgbNF
Threatray	308 similar samples on MalwareBazaar
TLSH	3CB4CF3183982B5BCB7E6438C451953083F5EE025662FA4F7F94349890F174E6BA63F9
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.africanuniquesafaris.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68126/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/481249

Signature

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eeba7537e3916a6c6d52340f648f970c4ad8369052fbc235b5ce4e3f166c9aae/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-05 11:13:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=525hkn7dsfvgy3ksgqhwjd4xbrfnqnuqkl54ennvzzhd6ftmtkxa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519

AgentTesla

1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241

AgentTesla

3e4483bff852f83c8c2e8fcf81f20c6473a296b7f9d3fbca391cff4303bb94d3

AgentTesla

535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64

AgentTesla

787bbb324bff5c9623f81bcfb8eb548a5938a50323c594440bc46dacd52276a4

AgentTesla

7a5cf1b0f0b115b160a48992609c57b8f9c4591a736ffc052549b2f1e91e2eb7

AgentTesla

a394155e8d2a15fa55c36e9b679cb922fc07b598c207564434fc8c80ee046503

AgentTesla

c8a3e3215f590c257667fbdde0b3632828f0028b0081b996c3547643c1ababba

AgentTesla

d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3

AgentTesla

+ 298 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201005-ch1758vb36/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

eeba7537e3916a6c6d52340f648f970c4ad8369052fbc235b5ce4e3f166c9aae

MD5 hash:

da503a926b278a7fa77a3724e656fd70

SHA1 hash:

9cf3ed0d69b5dbe38266d80a6c2ef5c33a02da6b

Link:

https://www.unpac.me/results/e0815b65-f2d5-4b87-9014-e2f075d774f9/

SH256 hash:

01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a

MD5 hash:

eb593633270aa19162cf64663df9dd6c

SHA1 hash:

2ec57181471ff10abe9a04239ca3ea86ea4252b9

Link:

https://www.unpac.me/results/e0815b65-f2d5-4b87-9014-e2f075d774f9/

SH256 hash:

026c8a2f50021e86647c13101e2439dcd5b470b17e5dd2da287ca9f8fc51d765

MD5 hash:

3bc125684db1a66d90d4f161fbd295fc

SHA1 hash:

3d3ef0fb2b8d3852d16e79f2e530455a0b451232

Link:

https://www.unpac.me/results/e0815b65-f2d5-4b87-9014-e2f075d774f9/

SH256 hash:

8e43cb37dd3161da59ad58383aa936936622a19ff40696cdbb510990f98fac4e

MD5 hash:

5638dcee430c256be5550f0f5db069ce

SHA1 hash:

8434ad6e782b89266a1a29ae64a6c856c1783040

Link:

https://www.unpac.me/results/e0815b65-f2d5-4b87-9014-e2f075d774f9/

SH256 hash:

5ab0dcd35eb1e7ead1b05186741998eeccd466d27fb7e294628eaec72cd39afe

MD5 hash:

9a8d6071f1c858fb06b8452bd4e944a2

SHA1 hash:

f706b8aeb93948efb4912791b30b1bf2e0a67672

Link:

https://www.unpac.me/results/e0815b65-f2d5-4b87-9014-e2f075d774f9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eeba7537e3916a6c6d52340f648f970c4ad8369052fbc235b5ce4e3f166c9aae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/68126/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample