MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eff1bcca16d0e0e0838298d7595b9eb098d70bd47fd19fcb7e1e62c8109a7b0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eff1bcca16d0e0e0838298d7595b9eb098d70bd47fd19fcb7e1e62c8109a7b0e
SHA3-384 hash: 3d79f61f823306396e26cf40824b0370679f7170a5243d7fad0772be6745da69a540f3f1118968e2b7cc9e86ded0cc27
SHA1 hash: 5329657eea579ade8dca4c80e8426e02e4a60cb1
MD5 hash: 639faff5ba5a0739952e8bb21d56a91b
humanhash: pennsylvania-illinois-jig-double
File name:Transferencia Bancaria.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'366'016 bytes
First seen:2020-12-27 07:41:49 UTC
Last seen:2020-12-27 09:36:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:PUhuj7Haxh4Sy1T5S1SGe10xU2spy/EQpnr8BeS+2WB:MhkHaRy1f4/sU/Tnr8
Threatray 699 similar samples on MalwareBazaar
TLSH 2955F2253BD0BB8EC66E4F7594138500ABF0D7739607FAD72DF219D82A8EA718633542
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dialhost.com.br
Sending IP: 177.52.160.32
From: Paula Oliveira da Silva <dfqs7ccf@sigestonline.com.br>
Subject: Comprovante de pagamento
Attachment: Transferencia Bancaria.zip (contains "Transferencia Bancaria.exe")

AgentTesla SMTP exfil server:
smtpout.secureserver.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transferencia Bancaria.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-27 07:44:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d70ced6a-91c6-4c62-8db2-d776c06dcab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109553/
Detection(s):
SecuriteInfo.com.FileRepMalware.20809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570327
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eff1bcca16d0e0e0838298d7595b9eb098d70bd47fd19fcb7e1e62c8109a7b0e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-27 07:42:09 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=57y3zsqw2dqoba4ctdlvsw46wcmnoc6up7iz7s36dzrmqee2pmha._file
Verdict:
suspicious
Similar samples:
18b9046aeb034225430d92767e84dc4f00c074a349f718bdae4433c69063268a
AgentTesla
2352a7cd00ed5221c4b807670ca01f49f76beb5dea868d8db38b1fcc0e362c18
AgentTesla
2dafd5f1570c579446d2b06ba815302da926c49683a36fe643241f1bd2144ac0
AgentTesla
51031d05083e587fa113208a5de4c7f7c0bd4f6ee385bdfee92c63786f7d7e88
AgentTesla
9ed2069b9a3bddb9c39ab8cf5f0fa3bf79fc9c1f438ae4f7c532132aa214e178
AgentTesla
a0086dfee2dba4d6a0adab05e848cfbb9755f68be7adef3ff35ff9740e5a1c2e
AgentTesla
b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057
AgentTesla
c3ca6a64f95f07e7557eb0ed7968c7d7bf735b08478f517061542059930bbf32
AgentTesla
c973d5e41c51df55c3b09912bd981cd4872c3a65869f298ffb281db49ba1bc2a
AgentTesla
fe6ec6d4d80f1ecf573ef8f80c655a1112975786ecda3929154f05de51057b26
AgentTesla
+ 689 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201227-hh8zbckrej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
eff1bcca16d0e0e0838298d7595b9eb098d70bd47fd19fcb7e1e62c8109a7b0e
MD5 hash:
639faff5ba5a0739952e8bb21d56a91b
SHA1 hash:
5329657eea579ade8dca4c80e8426e02e4a60cb1
Link:
https://www.unpac.me/results/d8a85d2d-7abd-4e32-8c3a-554b0659e111/
SH256 hash:
f82471c611665a6cfccf5f461e611fb3d7d08056c69de55003278c0666c95997
MD5 hash:
25f6bee9e1f4fbcd705e6b99067d7257
SHA1 hash:
5efe501c314d1ad4ca33f2b148ace019dedf23a0
Link:
https://www.unpac.me/results/d8a85d2d-7abd-4e32-8c3a-554b0659e111/
SH256 hash:
a0db06590072ed98ea49fc60c7fbbf75c073440a7c5efa8b367ef11da52ac49c
MD5 hash:
49c48ffa3edb06a0259d52d31bb89755
SHA1 hash:
7986cbddc0032f75deee847dd4f25881c76e8b51
Link:
https://www.unpac.me/results/d8a85d2d-7abd-4e32-8c3a-554b0659e111/
SH256 hash:
1d5c9e8b0997fe884d83de0ce97ee71bd5ad650fb132f7260f5d1bc26945776b
MD5 hash:
7463185ecc5c33f50e4896cfb97a1167
SHA1 hash:
8797e30ed21d4eb563b4339097d5489a12ee3fbe
Link:
https://www.unpac.me/results/d8a85d2d-7abd-4e32-8c3a-554b0659e111/
SH256 hash:
f96b672808ad71184331422177644a455188edc1538545af4b09393a6c9934eb
MD5 hash:
59a180eafc902d9352351294e394cbfe
SHA1 hash:
db0f147fea62cc068933e515d23bdfc22b2829ea
Link:
https://www.unpac.me/results/d8a85d2d-7abd-4e32-8c3a-554b0659e111/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/eff1bcca16d0e0e0838298d7595b9eb098d70bd47fd19fcb7e1e62c8109a7b0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 9db74c9e5bdfc9e69af0186a5f7d712b2f10c87fd90b78b3e6778e349ccc913a

AgentTesla

Executable exe eff1bcca16d0e0e0838298d7595b9eb098d70bd47fd19fcb7e1e62c8109a7b0e

(this sample)

  
Dropped by
MD5 fb76d1ecbeadd4b82fbe2726edf78b40
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/109553/
  
Dropped by
SHA256 9db74c9e5bdfc9e69af0186a5f7d712b2f10c87fd90b78b3e6778e349ccc913a

Comments