MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55f0bd56e0278000d62840de636113786da38d1bec505ce2fa0b384402498d6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55f0bd56e0278000d62840de636113786da38d1bec505ce2fa0b384402498d6b
SHA3-384 hash: 531e271e966c6d996eed4177dfc4d8def8d59368e2513d9f9a5133725c6d4b44cbdf140af5097ae23d8f674aaeb30218
SHA1 hash: 0ed90586aeb4883232b9164589f6a433182d63ae
MD5 hash: d16b5e48914ce9ea9fc844a13a07e5ec
humanhash: arkansas-arkansas-harry-cardinal
File name:bcu5lW8ZPIsPuE6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'224'704 bytes
First seen:2022-10-13 10:06:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:nxtEqDwokjnnwZ1LFHoaqeV4CeCpH2uJpwLK9fw:Ff83nxloH9kK9f
Threatray 20'706 similar samples on MalwareBazaar
TLSH T1F0459C7522948917D12A32B4C887D5F32BFB5D516192D2C72AC72FAFBC843B7A50324B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319820/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6347e34633e66132ed02ed41/reports/ec1057f5-9142-4b58-add1-8bd346b602ed/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d882b75-91c6-4d91-a42d-7ca2a16c560c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089700
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722310 Sample: bcu5lW8ZPIsPuE6.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 6 bcu5lW8ZPIsPuE6.exe 3 2->6         started        10 PDeLIuR.exe 3 2->10         started        12 PDeLIuR.exe 2 2->12         started        process3 file4 23 C:\Users\user\...\bcu5lW8ZPIsPuE6.exe.log, ASCII 6->23 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 14 bcu5lW8ZPIsPuE6.exe 17 5 6->14         started        55 Machine Learning detection for dropped file 10->55 19 PDeLIuR.exe 14 2 10->19         started        57 Injects a PE file into a foreign processes 12->57 21 PDeLIuR.exe 2 12->21         started        signatures5 process6 dnsIp7 29 mfaraday.com 70.32.23.84, 21, 31127, 41377 A2HOSTINGUS United States 14->29 25 C:\Users\user\AppData\Local\...\PDeLIuR.exe, PE32 14->25 dropped 27 C:\Users\user\...\PDeLIuR.exe:Zone.Identifier, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 31 192.168.2.1 unknown unknown 19->31 39 Tries to harvest and steal ftp login credentials 21->39 41 Tries to harvest and steal browser information (history, passwords, etc) 21->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55f0bd56e0278000d62840de636113786da38d1bec505ce2fa0b384402498d6b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 10:07:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxyl2vxae6aabvriidpggyitpbw2hdi35rifzyx2bm4eiasjrvvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01b9dcef06125de378e0a88f398cb651e2b3200eaef8d4847136b1dc6560057f
AgentTesla
7c8c2fa397b93c1f26f29a90a60f20b33e9220804ac2b1f1bb77cfb82833b116
AgentTesla
827955ec61948dbbf5ede93b4e2ff9933e6cb31579d9bc5df88e96fd4ce2d034
AgentTesla
9a16729a0163be1d5eaeb28c98fae4574668d657af10e0b7f669993c1cf609d9
AgentTesla
ad637f4d63f12c6eb0b3e954bf1c069141e11fd3a1c3230b475add4df3f784ce
AgentTesla
d3665fe1d001671b5d92fed405e0889d6e25a694628fb13754933b76a9c8dc8f
AgentTesla
ecbe8b6127e43ff6e69db36bf4822b37fd8b68bb5c3a384e8066d17a59f0a321
AgentTesla
+ 20'696 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221013-l5mdwabhc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/131ab422-af6d-4739-b8c0-67c244c06e41
Unpacked files
SH256 hash:
b2b42ea5752ec700c9c18e1abe4d05fd51894820f50875755a4f4d16f5e8a785
MD5 hash:
20fa41eaf0f6446248f93de503d057d5
SHA1 hash:
d1d4912615a0a0183e2b2ff7970971c5b4609696
Link:
https://www.unpac.me/results/2fd8a455-e874-4367-a6d6-4c702010a55e/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/2fd8a455-e874-4367-a6d6-4c702010a55e/
SH256 hash:
176538cf55ba5e31d94ad3c3409fb8ec4649018a342e7df576dffd3b921f662e
MD5 hash:
b6c7d18e249b045d2cc96705a72b778c
SHA1 hash:
7f3dc7fc284b20ae16f727ef289d0f256326b14c
Link:
https://www.unpac.me/results/2fd8a455-e874-4367-a6d6-4c702010a55e/
SH256 hash:
f4dfc095e70dbd997498b57215af891277bd66fa134f2eb9fe711502dc436fa7
MD5 hash:
ae7eb49e144f3591bdf8b6cfd232f8d3
SHA1 hash:
72d92be15a1d2af54c2432370ac45cd439b8d974
Link:
https://www.unpac.me/results/2fd8a455-e874-4367-a6d6-4c702010a55e/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/2fd8a455-e874-4367-a6d6-4c702010a55e/
SH256 hash:
55f0bd56e0278000d62840de636113786da38d1bec505ce2fa0b384402498d6b
MD5 hash:
d16b5e48914ce9ea9fc844a13a07e5ec
SHA1 hash:
0ed90586aeb4883232b9164589f6a433182d63ae
Link:
https://www.unpac.me/results/2fd8a455-e874-4367-a6d6-4c702010a55e/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55f0bd56e027/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55f0bd56e0278000d62840de636113786da38d1bec505ce2fa0b384402498d6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 55f0bd56e0278000d62840de636113786da38d1bec505ce2fa0b384402498d6b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/319820/

Comments