MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeeb63ae9b769764bd474d5367d3a0c4efaba149d355595de5be92fafe08de19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeeb63ae9b769764bd474d5367d3a0c4efaba149d355595de5be92fafe08de19
SHA3-384 hash: 85682499b44d95e3fbb6213d7d29118ed8703aadf5f275153bc6a1cf978d4f36dc18c2961ffeacbd77aa44edb86facaa
SHA1 hash: 3a4adb8a557aa1e71b9c7af857e67517d4d34d06
MD5 hash: cec0e37053fcaac8e1baa771073c2ef7
humanhash: summer-don-cup-alanine
File name:Payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:683'208 bytes
First seen:2021-04-24 11:09:00 UTC
Last seen:2021-04-24 11:52:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc617378d196c4568d2c591a8467634d (1 x FormBook, 1 x AgentTesla)
ssdeep 12288:20UgyOYk9NYZnOXdQwP/a4bt3CSXHfYPyLT2l1sQCLVmiSU:20UbJZnOXz/7x3XHwg9miN
Threatray 49 similar samples on MalwareBazaar
TLSH 30E47C12F2A16477F17F65785C17A3B9DC2ABE212D149C8673F92D186F3B2903B26183
Reporter TeamDreier
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment.exe
Verdict:
Malicious activity
Analysis date:
2021-04-24 11:17:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6409397a-b120-4545-a7e2-aefb2beff18a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144004/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/696757
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397301 Sample: Payment.exe Startdate: 24/04/2021 Architecture: WINDOWS Score: 100 71 Found malware configuration 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 4 other signatures 2->77 11 Payment.exe 2 28 2->11         started        16 Aojlty.exe 19 2->16         started        18 Aojlty.exe 2->18         started        process3 dnsIp4 57 onedrive.live.com 11->57 65 2 other IPs or domains 11->65 51 C:\Users\Public51etplwiz.exe, PE32+ 11->51 dropped 53 C:\Users\Public53ETUTILS.dll, PE32+ 11->53 dropped 55 C:\Users\Public\Libraries\Aojlty\Aojlty.exe, PE32 11->55 dropped 91 Detected unpacking (changes PE section rights) 11->91 93 Detected unpacking (overwrites its own PE header) 11->93 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->95 103 3 other signatures 11->103 20 cmd.exe 1 11->20         started        22 Payment.exe 2 11->22         started        59 192.168.2.1 unknown unknown 16->59 61 onedrive.live.com 16->61 67 2 other IPs or domains 16->67 97 Antivirus detection for dropped file 16->97 99 Multi AV Scanner detection for dropped file 16->99 101 Machine Learning detection for dropped file 16->101 25 Aojlty.exe 16->25         started        63 onedrive.live.com 18->63 69 2 other IPs or domains 18->69 file5 signatures6 process7 signatures8 27 cmd.exe 5 20->27         started        31 conhost.exe 20->31         started        83 Tries to steal Mail credentials (via file access) 22->83 85 Tries to harvest and steal browser information (history, passwords, etc) 22->85 process9 file10 47 C:\Windows \System3247etplwiz.exe, PE32+ 27->47 dropped 49 C:\Windows \System3249ETUTILS.dll, PE32+ 27->49 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 27->89 33 Netplwiz.exe 27->33         started        35 conhost.exe 27->35         started        signatures11 process12 process13 37 cmd.exe 1 33->37         started        signatures14 79 Suspicious powershell command line found 37->79 81 Adds a directory exclusion to Windows Defender 37->81 40 powershell.exe 27 37->40         started        43 conhost.exe 37->43         started        process15 signatures16 87 DLL side loading technique detected 40->87 45 conhost.exe 40->45         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeeb63ae9b769764bd474d5367d3a0c4efaba149d355595de5be92fafe08de19/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-04-24 01:55:29 UTC
AV detection:
31 of 47 (65.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53vwhlu3o2lwjpkhjvjwpu5aytx2xikj2nkvsxpfx2jpv7qi3ymq._file
Verdict:
malicious
Similar samples:
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
AgentTesla
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
AgentTesla
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
AgentTesla
752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957
AgentTesla
abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74
AgentTesla
b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d
AgentTesla
bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb
AgentTesla
c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c
AgentTesla
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
AgentTesla
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
AgentTesla
+ 39 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210424-1l39l4f7la/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9
MD5 hash:
406f0b9cc6dacbdd1b715c557b941343
SHA1 hash:
77387463c87215e20a8592430665820cbb146660
Link:
https://www.unpac.me/results/a81a0185-1e7b-45e2-b9e0-1fdd265e9d5a/
SH256 hash:
eeeb63ae9b769764bd474d5367d3a0c4efaba149d355595de5be92fafe08de19
MD5 hash:
cec0e37053fcaac8e1baa771073c2ef7
SHA1 hash:
3a4adb8a557aa1e71b9c7af857e67517d4d34d06
Link:
https://www.unpac.me/results/a81a0185-1e7b-45e2-b9e0-1fdd265e9d5a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144004/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-24 12:04:30 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [F0002.002] Collection::Polling
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0007] Memory Micro-objective::Allocate Memory
14) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
15) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017] Process Micro-objective::Create Process
18) [C0038] Process Micro-objective::Create Thread
19) [C0054] Process Micro-objective::Resume Thread
20) [C0041] Process Micro-objective::Set Thread Local Storage Value
21) [C0018] Process Micro-objective::Terminate Process