MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc15b59bbfc3e94347809a2bb9f8fbcc1982b2ef982635d6bb1d9a7be1cafbf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	bc15b59bbfc3e94347809a2bb9f8fbcc1982b2ef982635d6bb1d9a7be1cafbf4
SHA3-384 hash:	e89d8cbb1500f7cca013a5c986d60ffde9ac8aed470f83a654a6e44d93227737497b890f19dbfc1e34e1b9fb07250225
SHA1 hash:	0ef5cc0af899e496c66f9e540b6f4a9880ed0ab6
MD5 hash:	6fdbc8bada29a4079835068a4e4bd9ea
humanhash:	fruit-ack-nine-india
File name:	Urgent inquiry.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	308'224 bytes
First seen:	2020-08-04 07:44:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:0lvPSCiP3SQ3hc7n5s2lBCrYWNXMbpHLjwb:0chPknT
Threatray	10'651 similar samples on MalwareBazaar
TLSH	BB64297D6B88B902F23D497651D2622062F1D4834E12C34F6EC46EFDBF517C92E4A3A6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: aaturkgroup.com
Sending IP: 103.99.1.145
From: Abdul>sales@aaturkgroup.com
Subject: RE: Urgent! New Order
Attachment: Urgent inquiry.rar (contains "Urgent inquiry.exe")

AgentTesla SMTP exfil server:
srv31.niagahoster.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/38313/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Sending a UDP request

Reading critical registry keys

Launching the process to change network settings

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/408840

Signature

Found malware configuration

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/bc15b59bbfc3e94347809a2bb9f8fbcc1982b2ef982635d6bb1d9a7be1cafbf4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-04 05:14:08 UTC

AV detection:

40 of 48 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xqk3lg57ypuugr4ativ3t6h3zqmyfmxptatdlvv3dwnhxyok7p2a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2db130b6ad748672b5cbc14066640e1719f5736b54214194e94fc7e5abf97ac4

AgentTesla

66dcc6879cbad6d6bd91f0599f73e7a04eaadf041f9416ade10a76d46102e4c4

AgentTesla

68f746d2933821737aafcf2bc00db8b8f2db8fe6b6aec4ea25eb0bf31b1c370b

AgentTesla

7eea3bb234987693f1537476939f6e2527581c9a52f6d81882a3a2045367676c

AgentTesla

7f547a386bca141205b0b5ce1d37c2de284b25988c8dc693ded6e10232251626

AgentTesla

872e06d165968c0548d362d26c3c05ba9c3f35fe1066c5623dded0dd7cbb92f2

AgentTesla

8800fbb61281cd07571f34ae8c9b2eeef62179b7804e9a8496b264ff9173df61

AgentTesla

d92dcda06015bc3d7dc48098eee32a8e77b6b387790abefbff55cad7ff44fca3

AgentTesla

e6f24dc63903a62c11b31f12fdf5e6c71d434782963b51e3e25a9267d4004949

AgentTesla

+ 10'641 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200804-j21gnm98vn/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc15b59bbfc3e94347809a2bb9f8fbcc1982b2ef982635d6bb1d9a7be1cafbf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar