MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317
SHA3-384 hash:	9aeab896573514b441309e423419a9ca6cebebfcdbe4759f46872f0b65a94282354559a0fcf2c5ad190e8a5cd4ca2c25
SHA1 hash:	bf9d25d8f52602ec70285019724bab1c320e5a62
MD5 hash:	923d4abf2e3c8ae7cd158bf5f9be2aa5
humanhash:	solar-maryland-don-freddie
File name:	bdol.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	167'936 bytes
First seen:	2023-10-16 08:35:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'601 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:cSaas1lAgldsq0Ypsm3Cpc7w8N4jb00s1uMr7NBz:k1lDdsqRpZqoNgb0tF7
Threatray	46 similar samples on MalwareBazaar
TLSH	T17DF3392F52DA4DD1C37E4074C5F112041ABAD97782DBE76E1DB19CFA3E06783322A866
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	pmmkowalczyk1111
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

bdol.exe

Verdict:

Malicious activity

Analysis date:

2023-10-16 08:37:11 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/5e9a3890-c470-407e-b257-4c68f4ead3cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/454789/

Detection(s):

Win.Packed.Generic-10003641-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Sending a custom TCP request

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control hacktool keylogger lolbin packed packed replace

Link:

https://www.filescan.io/uploads/652cf5f45da218a42f510215/reports/9b994197-d04a-404f-b60c-35293345d3f8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/74d4cdb1-df04-4cd2-afac-93238676aae8

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1326319

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-10-16 08:36:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=olowjobhcvlntye5bpjmfeh7rs4cxqyrins5tctzge7lblnqqmlq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

6703706a8c532bece036e36fc650fc082b04c5b771e5c2458adf28fdc667ad97

AgentTesla

74a84823c35436e2a73f303aaf86be5d2c59f025c948c0044f948d613da91870

AgentTesla

ca5c1fefe9b9347b995dc040b7e50b867be70729041afffd475ce7856f394f5b

AgentTesla

d52275a861a9396629e78edca76c3b3cec55980115feadfd0e93ca9c400bbffa

AgentTesla

e579952e0a6c558c001274aa13e6ac8297a3991497f0163917e6db3a37430f83

AgentTesla

f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3

AgentTesla

+ 36 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231016-khk2vsch6v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317

MD5 hash:

923d4abf2e3c8ae7cd158bf5f9be2aa5

SHA1 hash:

bf9d25d8f52602ec70285019724bab1c320e5a62

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/3d1bc20a-be88-4a65-b1e3-d40b03aaa60e/

Parent samples :

72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317
112cd260d10fc7fb85c15add5d2a7f1fc4f4cf2c7be1339d259a747add1b12e2
2ed231f6ca8dc10f9a5de2b7389e29ee95ee6ab3001aff91798e0cb7f5e38cf4
a1f50fdf9ca6e035abda6da480358bf01c6b1b5edc32da2da59b16eaf5fafac5
3926e87c46de1b1637b022436f40375b9e0e7bfb0c5bc7ff4176ff9de208108a

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/454789/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample