MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48
SHA3-384 hash: f21652f5e38dddc45be472687cee8a123ad73c99514da3849d5df0af23b1600fd98a5dbddf99a0d11e37aa5020055c35
SHA1 hash: 52673459e443f6a57c80a0e52160eebb638eaa61
MD5 hash: e7973abc77f88ab490e32fd14b7d445a
humanhash: nevada-spring-hydrogen-echo
File name:MACHINE QUOTATION.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:33'280 bytes
First seen:2023-01-26 17:22:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:yM119NYrB3JBZd+y043kAmZbIkr05tIevQ:jkHl0exEIk2vQ
Threatray 1'004 similar samples on MalwareBazaar
TLSH T1B8E26C1463EC827BE77F5BBEBC7541A10BB1AA23A426FF4C358D51C91B4279402217AB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MACHINE QUOTATION.exe
Verdict:
No threats detected
Analysis date:
2023-01-26 17:22:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7d0ad2dc-c0a5-4729-84c8-499ca52648fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357182/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63d2b6f81c9cbf7d62531e30/reports/ce2f2991-4b6b-4413-baf2-d25599c87055/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a4228ebf-db9a-4c50-8794-34c16f23846a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159734
Signature
.NET source code references suspicious native API functions
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792474 Sample: MACHINE QUOTATION.exe Startdate: 26/01/2023 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected UAC Bypass using CMSTP 2->49 51 6 other signatures 2->51 7 MACHINE QUOTATION.exe 3 2->7         started        12 newapp.exe 2 2->12         started        14 newapp.exe 1 2->14         started        process3 dnsIp4 43 185.17.0.79, 49712, 6666 SUPERSERVERSDATACENTERRU Russian Federation 7->43 35 C:\Users\user\...\MACHINE QUOTATION.exe.log, CSV 7->35 dropped 61 Writes to foreign memory regions 7->61 63 Injects a PE file into a foreign processes 7->63 16 AddInProcess32.exe 17 9 7->16         started        21 MpCmdRun.exe 1 7->21         started        23 HxTsr.exe 1 13 7->23         started        29 25 other processes 7->29 25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        file5 signatures6 process7 dnsIp8 37 api4.ipify.org 64.185.227.155, 443, 49715 WEBNXUS United States 16->37 39 ftp.antleds.com 176.9.136.101, 21, 49716, 49717 HETZNER-ASDE Germany 16->39 41 2 other IPs or domains 16->41 33 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->33 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->55 57 May check the online IP address of the machine 16->57 59 6 other signatures 16->59 31 conhost.exe 21->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-26 09:47:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
6 of 39 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpvhkqpxe3bozohoxpeh632swug3k6udmvy25gypd7mr363fhnea._file
Verdict:
malicious
Similar samples:
46ef02874c713328d14ecbe37fdd1cada98c9e049afd132debbc095164dae778
AgentTesla
4795e398d5dce733ecb352580be08b33ae668684856a5cf34a8cc21fa303c60e
AgentTesla
590e81a847fe5bf4bf4e23ce70b49fb27ec3048ffd8b02e360b757d26e2eac6c
AgentTesla
7f03e073aed2a3458a76cf000cd58342e34ddd785cdb5947321d904dfb2d4dfa
AgentTesla
bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
AgentTesla
bc8560177aa43a687207e68c27c1c9378eb6fff83e61d279641c9256d79ea055
AgentTesla
f56c8e197bbe551942b7e01808646b1ccbb01e8d43fc2ba3e5a6017e40e8e1d4
AgentTesla
+ 994 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230126-vx44dsee69/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Unpacked files
SH256 hash:
bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48
MD5 hash:
e7973abc77f88ab490e32fd14b7d445a
SHA1 hash:
52673459e443f6a57c80a0e52160eebb638eaa61
Link:
https://www.unpac.me/results/b6ce3067-ec6f-4c51-b0fd-5526ff168b47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/357182/

Comments