MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeebde8089d33c9b76eddd2a7c2bf80eac9d56716b45662398385d21ae5853c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeebde8089d33c9b76eddd2a7c2bf80eac9d56716b45662398385d21ae5853c4
SHA3-384 hash: 016a2d357804e4d7d7eae5f0a131e0e7ee7122429f85f0413934aff6ba0b29fb0c6d21ed875a0b0cd9ac5d740d1834fb
SHA1 hash: f5943d89a6c06832b7ad59a1b2d00b08e05c24da
MD5 hash: ff5612d0eddf06a47e32bbfa4fb01a0c
humanhash: oranges-sodium-louisiana-rugby
File name:Halkbank_Ekstre_20230321_080804_358439.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:729'600 bytes
First seen:2023-08-02 08:57:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:hCbpNZ2DDtz43d6MIxlghTRVDMXxrkx9mX/ZEj5ZzHVpc4mvu4I6xEVRe:UbpvWzMd/Irxdyt1m5tIRe
Threatray 306 similar samples on MalwareBazaar
TLSH T17BF4F04071BA5F57C5BEC3F92660A11117F26CAF113CE3698EC2A0CA1636F119B95F2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe geo Halkbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230321_080804_358439.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-08-02 09:03:09 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/cfb266c7-e776-46dc-8423-633a27b07bb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439798/
Detection(s):
SecuriteInfo.com.Variant.Lazy.368304.7024.21689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64ca1a9ccbfeb5bd57512427/reports/bb5b249b-0ef7-4831-8f22-ed3fd65c3c34/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/eeebde8089d33c9b76eddd2a7c2bf80eac9d56716b45662398385d21ae5853c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/885d9f9f-3fe7-4077-b1f0-1a732b124aba
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284270
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeebde8089d33c9b76eddd2a7c2bf80eac9d56716b45662398385d21ae5853c4/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53v55aej2m6jw5xn3uvhyk7yb2wj2vtrnncwmi4yhbosdlsykpca._file
Verdict:
malicious
Similar samples:
1aa319975a9d1142cd5737d4b41d1004223881bf4e3485770a75be645e54934e
AgentTesla
1fe0659929bf6a67424138eddac1876c3fcc771e614bf90b286ecfe083641bdf
AgentTesla
2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8
AgentTesla
77f42c84ab266e5cb7c3ac457e324874c7b6e3b1f64191ada33bcab82f33a57d
AgentTesla
91cebe14386e053247997445208e08475f64480520316f826e252dd11431e240
AgentTesla
ac0ec8320601c7a274a4a97536cc6f3387964581b1a676d0c276381437967ca0
AgentTesla
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
AgentTesla
b9008341c54406621f94780f0d01e2cf61946a48101738fa73531687a5f1caad
AgentTesla
be34a7f3fb6fd3a52d2c2fa5452b6cf7fb4afa00ca29bda99c0e4710771ef71c
AgentTesla
e163660f2b270299aa1ff5846e0b7b8d9eac1f91ad2d3f5cfe3cfc261123bdcf
AgentTesla
+ 296 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230802-kw6kqaeh8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/d456cd18-91a8-416b-ad10-16207e3d8866/
SH256 hash:
aaa69f4f7662460866ea52f59c28e58af8bc5fc16d16d1e699e32f9a433641bf
MD5 hash:
0201517543351a94e8e14222c63f0630
SHA1 hash:
af1eba76b363a9b52a401740aa6b4f11e6780ca0
Link:
https://www.unpac.me/results/d456cd18-91a8-416b-ad10-16207e3d8866/
SH256 hash:
46a210bea799a9a89410c9bd3bc54268b05357dccd6157bc544ab0d047ed0a8c
MD5 hash:
89de8ce3b125f017060a4fd57c5b9f13
SHA1 hash:
79ece231365e70cee56b6c1213967697b4311023
Link:
https://www.unpac.me/results/d456cd18-91a8-416b-ad10-16207e3d8866/
SH256 hash:
021f66212015c33d2d361de62adf410ad47ce46830b2d074453f1e6f9ca11611
MD5 hash:
62431d8632468fd96bb1f9de7d3f3312
SHA1 hash:
21c2472d61e01f2b15866a42dc406d9fe3f56309
Link:
https://www.unpac.me/results/d456cd18-91a8-416b-ad10-16207e3d8866/
SH256 hash:
eeebde8089d33c9b76eddd2a7c2bf80eac9d56716b45662398385d21ae5853c4
MD5 hash:
ff5612d0eddf06a47e32bbfa4fb01a0c
SHA1 hash:
f5943d89a6c06832b7ad59a1b2d00b08e05c24da
Link:
https://www.unpac.me/results/d456cd18-91a8-416b-ad10-16207e3d8866/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eeebde8089d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eeebde8089d33c9b76eddd2a7c2bf80eac9d56716b45662398385d21ae5853c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe eeebde8089d33c9b76eddd2a7c2bf80eac9d56716b45662398385d21ae5853c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439798/

Comments