MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2bbfbdba323c64a9e7ad546bb2ae1df96b264ba1c76fb670213113e60e1a93f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2bbfbdba323c64a9e7ad546bb2ae1df96b264ba1c76fb670213113e60e1a93f
SHA3-384 hash: 48635f84b06bc9d65112ec1fb2b2b7b1fb4654062585ceb801923efb9fcb2a72123ceb7011a1880262eaa2c556eb4144
SHA1 hash: a07d8a64f80abba16c56254038a27dedd11bfb8b
MD5 hash: e9d60fb9fc40c286c779123416ac66ce
humanhash: charlie-table-aspen-cold
File name:PUCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:24'576 bytes
First seen:2022-05-24 11:32:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:u5+Giyr72pSObLiQJ/JuHj6DLk6X/UWoyijn//yi1PiHev6YHUmTYV9hH9s7hVcO:u5+ir7US5Hj6DLXX/UWoyijn//yi1PiQ
Threatray 17'529 similar samples on MalwareBazaar
TLSH T1F0B22E31EBC54A3CC9A00F31C4B2D2C32662AEF66953DB3560835B9B7E3295106F6662
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eaea92b2f2e8acb2 (5 x AgentTesla, 4 x SnakeKeylogger, 2 x AveMariaRAT)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PUCHASE ORDER.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 05:02:56 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/be842194-3c19-4a1f-85df-23f6ca37c346

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274043/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed wacatac
Link:
https://www.filescan.io/uploads/628cc2ab65e338159937f835/reports/4f740916-b833-478a-9236-bbd7db581b1b/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d328132a-ee9c-45e1-9803-b51afb785a49
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000579
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633075 Sample: PUCHASE ORDER.exe Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 60 mail.privateemail.com 2->60 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 5 other signatures 2->78 8 PUCHASE ORDER.exe 16 7 2->8         started        13 Bbivq.exe 14 4 2->13         started        15 Bbivq.exe 3 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 64 cdn.discordapp.com 162.159.135.233, 443, 49745 CLOUDFLARENETUS United States 8->64 66 192.168.2.1 unknown unknown 8->66 54 C:\Users\user\AppData\Roaming\...\Bbivq.exe, PE32 8->54 dropped 56 C:\Users\user\...\Bbivq.exe:Zone.Identifier, ASCII 8->56 dropped 58 C:\Users\user\...\PUCHASE ORDER.exe.log, ASCII 8->58 dropped 88 Creates multiple autostart registry keys 8->88 90 Writes to foreign memory regions 8->90 92 Allocates memory in foreign processes 8->92 19 InstallUtil.exe 2 8 8->19         started        24 cmd.exe 1 8->24         started        68 162.159.133.233, 443, 49772 CLOUDFLARENETUS United States 13->68 94 Multi AV Scanner detection for dropped file 13->94 96 Injects a PE file into a foreign processes 13->96 26 cmd.exe 13->26         started        28 InstallUtil.exe 13->28         started        36 3 other processes 13->36 70 162.159.134.233, 443, 49775 CLOUDFLARENETUS United States 15->70 30 cmd.exe 15->30         started        38 2 other processes 15->38 32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        file6 signatures7 process8 dnsIp9 62 mail.privateemail.com 198.54.122.135, 49773, 49774, 49785 NAMECHEAP-NETUS United States 19->62 52 C:\Users\user\AppData\Roaming\...\ybfSF.exe, PE32 19->52 dropped 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->80 82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->82 84 Tries to steal Mail credentials (via file / registry access) 19->84 86 7 other signatures 19->86 40 conhost.exe 24->40         started        42 timeout.exe 1 24->42         started        44 conhost.exe 26->44         started        46 timeout.exe 26->46         started        48 conhost.exe 30->48         started        50 timeout.exe 30->50         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2bbfbdba323c64a9e7ad546bb2ae1df96b264ba1c76fb670213113e60e1a93f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 06:24:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wk57xw5depdevht22vdlwkxb36llezf2dr3pwzyccmit4yhbve7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12debb5b625d08f6bc4dd6160435cfde52a33c11dccd4b10fa07c225aba9565b
AgentTesla
191e0b6b997739d71b92939ca736a43be3e742aa1b8baf025b5f9114f1f3e7ae
AgentTesla
4097d7bdbe0b5665b4e59568b0eafc0d5514b36245445deb38e88911ed90417c
AgentTesla
6e38a3ddc750c13372311bd90bf5bdde571d005f1af0c62b1eb95b02467ee2d1
AgentTesla
7ffa5fb65cb420698a4d9f54c52bc97d5bd4ac30813c727381d3bec8d3a0e192
AgentTesla
b64081fc4a7dc5e73ab017b1f0453c27d5e6040134dd269bc01de45cad3713b7
AgentTesla
b789ea800e24253ead1c150643aa729e7b7d5253bf6319aa4321680c615b8ec2
AgentTesla
db896a14c9c152fd60316f23ba1c1520d4262aa8c642b9596424ae26d42c92b0
AgentTesla
+ 17'519 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220524-nnt4hacdgq/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
b2bbfbdba323c64a9e7ad546bb2ae1df96b264ba1c76fb670213113e60e1a93f
MD5 hash:
e9d60fb9fc40c286c779123416ac66ce
SHA1 hash:
a07d8a64f80abba16c56254038a27dedd11bfb8b
Link:
https://www.unpac.me/results/0a322f97-cc7f-456d-867a-20470aa3816b/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2bbfbdba323/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b2bbfbdba323c64a9e7ad546bb2ae1df96b264ba1c76fb670213113e60e1a93f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b2bbfbdba323c64a9e7ad546bb2ae1df96b264ba1c76fb670213113e60e1a93f

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274043/

Comments