MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8272b74901554c30f76d69d2d73685da505283e0ee95fbc21cdcd0a47560d337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8272b74901554c30f76d69d2d73685da505283e0ee95fbc21cdcd0a47560d337
SHA3-384 hash: 71144796795f7d79c465eb47e0fe89fb8612c6990780a0e915f71c253638a2b5bf31da58259094db914fbf0f60c758e7
SHA1 hash: d436935c676a115f1c5918285be5b0695084e144
MD5 hash: 3810ac5bf5a254122c70ab1c5dda6f32
humanhash: chicken-november-cat-finch
File name:BMPI-20100077.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:566'784 bytes
First seen:2020-10-29 09:56:29 UTC
Last seen:2020-10-29 19:22:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:5+a589CHvVzbXKigRKxb9X8yOwt3wCjUKY145JBPG:r8OdzWn8ZfhxgKoMRG
Threatray 939 similar samples on MalwareBazaar
TLSH B1C4F1761708AF24E1BD833B5846952013FDE905E723D966FDFA71EDA1A0F9029B2703
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/80872/
Detection(s):
Sanesecurity.Rogue.0hr.20201029-0911.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/515918
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8272b74901554c30f76d69d2d73685da505283e0ee95fbc21cdcd0a47560d337/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 08:17:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjzlosibkvgdb53nnhjnonuf3jiffa7a52k7xqq43tiki5la2m3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20301bf0496573999546b8da6dcc63806bef8426b4f28a43204630cce8ec6111
AgentTesla
20c0aebe7cad9faafeff8655a50fb31ef9e91208f17035f3b90b91ab8fce0e86
AgentTesla
2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb
AgentTesla
33f7282b31a19d0c54b18855ac47c10fa5a482a77ec94c10738744d6f9041d29
AgentTesla
4ceae1221e49d53bb92eff3f817abe974127605c00ca21d72184ee71ca0bb036
AgentTesla
8348c6c60034429d7bca499c5cfb52d04f0705cda36665cbff5db267958811ef
AgentTesla
c65f59e46bf3f95dd36355588b2b1661ac61878e1ce97364ff2c9bc9e5392e03
AgentTesla
e788686b2a0e0efbf94e3f33a47e63494ca216e965191d82cd2922b8af6fe037
AgentTesla
f90f1d3ed69df61ade3fda58c9a990595b88a02c066e570bff8eb8919002ee38
AgentTesla
fea590dbb8987a6358d6708c5728826c5dc44c943ff4145ab1bc6d110c03e13c
AgentTesla
+ 929 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201029-7qfhqrb8b2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0603c029985da4fa6263f5a470b73139413ca658f171f0c55f81c9b3fc1f3e8f

AgentTesla

Executable exe 8272b74901554c30f76d69d2d73685da505283e0ee95fbc21cdcd0a47560d337

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/80872/
  
Dropped by
SHA256 0603c029985da4fa6263f5a470b73139413ca658f171f0c55f81c9b3fc1f3e8f

Comments