MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f60beeab7f812dbbf97ff996522bfd5c5b87831608170acbb539ec8c8ec3ac89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f60beeab7f812dbbf97ff996522bfd5c5b87831608170acbb539ec8c8ec3ac89
SHA3-384 hash: 59f47fc97e86dc25c79d83017096684184db8355958886420fc9eeaf4f8f560b0be57a878e8fd9029cd1bff4bf23546d
SHA1 hash: cc3c33d0893862ea64a19acd7eb06486bfda15b7
MD5 hash: 3528c954ebad9d627e99ebc56d78b6d0
humanhash: spaghetti-delaware-nebraska-mars
File name:justificante de la transfer.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:331'776 bytes
First seen:2020-11-05 10:20:32 UTC
Last seen:2020-11-05 11:51:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f42654562195fe3ea6c753a45741a97 (6 x AgentTesla, 2 x Formbook)
ssdeep 6144:ttwGdUC2tXBs7eA1rUvTZSOJgIdCVPBXru8N7NOV/+4:9dUCusakoQOdYBXRN7Nw/r
Threatray 92 similar samples on MalwareBazaar
TLSH 9064F116B2E4D031E073163B88758A624A7FFC314F38ED177798120A5975BC1EA66FA3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.iparvending.es:26

AgentTesla SMTP exfil email address:
147henryo@gmail.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83220/
Detection(s):
SecuriteInfo.com.Artemis3528C954EBAD.14345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521317
Signature
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f60beeab7f812dbbf97ff996522bfd5c5b87831608170acbb539ec8c8ec3ac89/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 08:25:22 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yf65k37qew3x6l77glfek75lrnypaywbalqvs5vhhwizdwdvseq._file
Verdict:
unknown
Similar samples:
15c7df3fd38078bfe8814c09bc69279c91ae32fc7178912998b6eca91f4d82b8
AgentTesla
16a895e73a1fa9260fdc42786d134cadbfd8936365e2f550322f45f08307186e
AgentTesla
339505a9dc4fdae3e5a44a6d33230c75d181a8674bead358b8c9012156f4672d
AgentTesla
70cd238b3f80f507ac99f8d355b5d461627e8a61ddd7ffba252296fea2619978
AgentTesla
92625b5d11e691107b8aa2e733c1be9fe3677b5a86f03e08f239bf6e0d450885
AgentTesla
c0f902eb625b7628d517c0fc1529dd4fe5954889f81bafb5b6e35c39205c84eb
AgentTesla
c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
AgentTesla
dceee69386ab214661fc1c13d5ee5138a97fc9e3a03516ccb8c29cf7251398a5
AgentTesla
e0f3cc45f5f9d758b91fc99dbc5b838e8658fa28bad234825318e18d11806681
AgentTesla
e4badaf86c0f22c6b31c97f661ba5af3f757697e7493c2e750a813173dec2273
AgentTesla
+ 82 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-5pzl28r6qa/
Unpacked files
SH256 hash:
f60beeab7f812dbbf97ff996522bfd5c5b87831608170acbb539ec8c8ec3ac89
MD5 hash:
3528c954ebad9d627e99ebc56d78b6d0
SHA1 hash:
cc3c33d0893862ea64a19acd7eb06486bfda15b7
Link:
https://www.unpac.me/results/3cb7beda-1200-4114-a261-2c5e7acb91d6/
SH256 hash:
7dcc0cf6346f4f3051bd3092e5bb0a9a14ca00c56a9768a71ac4b4aacb117d88
MD5 hash:
a9d79b19fe2afe7cb8aed3c17f17a9e7
SHA1 hash:
cbb854bd3446623e37c6820bb0d86c231763c603
Link:
https://www.unpac.me/results/3cb7beda-1200-4114-a261-2c5e7acb91d6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f60beeab7f812dbbf97ff996522bfd5c5b87831608170acbb539ec8c8ec3ac89

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83220/

Comments