MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 839fe50643326105b4a44193db365e347eebdb98fd9cbdb22b26fb64589605a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 839fe50643326105b4a44193db365e347eebdb98fd9cbdb22b26fb64589605a7
SHA3-384 hash: 1454fd5da59101d9b4662e02250e6f2ec7297906bbaf2a5014b4c9af05ef00bd1f77c2fa9854ac0df0a086a8928ad32c
SHA1 hash: 629d568f17687fba89d7d9af41e2f1669bdbc828
MD5 hash: 4356ec13f3ecf498927e9201c486efe8
humanhash: vegan-finch-red-zebra
File name:Bdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'584 bytes
First seen:2022-05-18 13:53:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RtTTBd5X1ZRRyNeT7Gx6QOHeqsi9jO0LgvxUDosGQr:7/BfFZ+eTE6b+aPsfQr
Threatray 16'516 similar samples on MalwareBazaar
TLSH T17DE4F12963A8DE50E9BE47BAC0A201F817B46D47D512F75BCED07CCA3D363C1461AA1B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Bdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-18 23:20:43 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/95295a56-bd86-4f98-8f1a-0099e999d1bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272127/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.21240.12197.14435.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e28dde6e-826c-4e3e-95ce-d69c27b17afb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/996843
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 629340 Sample: Bdf.exe Startdate: 18/05/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 12 other signatures 2->41 7 Bdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\KZnWAmGsY.exe, PE32 7->23 dropped 25 C:\Users\...\KZnWAmGsY.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp636C.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\Local\...\Bdf.exe.log, ASCII 7->29 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 2 other signatures 7->49 11 Bdf.exe 15 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 api.telegram.org 149.154.167.220, 443, 49752, 49753 TELEGRAMRU United Kingdom 11->31 33 192.168.2.1 unknown unknown 11->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 2 other signatures 11->57 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/839fe50643326105b4a44193db365e347eebdb98fd9cbdb22b26fb64589605a7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 13:52:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qop6kbsdgjqqlnfeigj5wns6gr7oxw4y7wol3mrle35wiwewawtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
52282dc30cfcb5993ceb060a9b95ed551173056a305330bb687b07c9d3c83cce
AgentTesla
86ced7ef9734d5c2a044b46c503ce2151edeaba3a4f33a2f2365356f0b2b9210
AgentTesla
9146d1635d9550a72d70e5a1748b48e4edd325f8f715139fa871e26292299cb7
AgentTesla
9d60afaec2fc81f295ceb835fde3331246eddc71d5a5750e9b1a47038ef0b546
AgentTesla
a96875a604f8e4c381ec3140b0f7a942272cc42eda74b2ebaa310e32703f18e7
AgentTesla
aba69f59df6e5913552e1dfd26ab7dc50225d62231958c85d7e2fb349544db2f
AgentTesla
ada82cc63307ef87e14cfdcb3e01265fa581b4f55076dcff53e7421b6a2c8830
AgentTesla
b5bb2779f0527200837d519ee00b5a45d1cf8d40c2a4cba5031eb4fd14113271
AgentTesla
d9d6c508f7c8885230ba1ea6501b8dceaa9605fe25f89122dd03eec34762f925
AgentTesla
+ 16'506 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220518-q7h7fsaee2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5160342877:AAG7aI_cOY3UzpErIEUdfVUJMJszvGYLIiI/sendDocument
Unpacked files
SH256 hash:
e3080b276cf4f34d97ab596c512ea50026e9212025ca2b42eee47e479b4348f4
MD5 hash:
72f122df935387437732899a349cd919
SHA1 hash:
d7e5545c6826d610ae3f286f28c528808d0b40de
Link:
https://www.unpac.me/results/e86e3f35-8c52-4846-9ac9-8330e6a9a6b7/
SH256 hash:
aaf2a34980717a12c65b63239bf320315d3403df6bafb3b02a55586b47eb900f
MD5 hash:
21f4c5da369b1fa3ade71af18b7ea9d7
SHA1 hash:
56fba7a891cd26e8d994948eaef0157b94c9cfd2
Link:
https://www.unpac.me/results/e86e3f35-8c52-4846-9ac9-8330e6a9a6b7/
SH256 hash:
09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd
MD5 hash:
1521132bd568891debf24b4973aaa24e
SHA1 hash:
393fafe43a177d02d2a8be164101fc2add2748dc
Link:
https://www.unpac.me/results/e86e3f35-8c52-4846-9ac9-8330e6a9a6b7/
SH256 hash:
a0cc5899d837d098e1e68976930f4d3f274dfd04aaddfded06cdf2419f23bdc3
MD5 hash:
a905e01d832ff1aa444d164dc7550797
SHA1 hash:
08daa9e6a917b93bb13f18782d393a9f3daf53d9
Link:
https://www.unpac.me/results/e86e3f35-8c52-4846-9ac9-8330e6a9a6b7/
SH256 hash:
839fe50643326105b4a44193db365e347eebdb98fd9cbdb22b26fb64589605a7
MD5 hash:
4356ec13f3ecf498927e9201c486efe8
SHA1 hash:
629d568f17687fba89d7d9af41e2f1669bdbc828
Link:
https://www.unpac.me/results/e86e3f35-8c52-4846-9ac9-8330e6a9a6b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/839fe50643326105b4a44193db365e347eebdb98fd9cbdb22b26fb64589605a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/272127/
  
URLhaus
https://urlhaus.abuse.ch/url/2200860/

Comments