MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc02f7f4317f67dcc9ef60b524498431ec0ef0b261f715c4b20371e423b30fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc02f7f4317f67dcc9ef60b524498431ec0ef0b261f715c4b20371e423b30fb5
SHA3-384 hash: a7de6ee0e60dc091e8a23d84f4df6c142a2c365a69a1ec1be1e5e6ed4ee6440d722ecf6b211632208ab24c775065ea22
SHA1 hash: 9cddf51dded31674cb4dfdb6ed19a3a8a519c0af
MD5 hash: 23dd8c43d332f7b7958b14d2f75900b0
humanhash: fix-comet-uniform-autumn
File name:payment copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:471'040 bytes
First seen:2020-06-24 05:47:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:jVMJc8MX2yEVeUdtPbAUdY9WIwcOM7urw7LOFDL40q6:jVMJDpX3dtMlWIJS+KFYW
Threatray 10'731 similar samples on MalwareBazaar
TLSH 98A4F10737ACFC13C8BC29F8A4C62B4463B96A6A6292F2D95CC162DD15D37F649127C3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.o-g.me
Sending IP: 164.68.104.12
From: Jawaid Ahmed <m.ababneh@hosbanclearance.com>
Subject: payment copy shipment documents
Attachment: payment copy.zip (contains "payment copy.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13430/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc02f7f4317f67dcc9ef60b524498431ec0ef0b261f715c4b20371e423b30fb5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 01:47:27 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqbpp5brp5t5zsppmc2sismeghwa54fsmh3rlrfsany6ii5tb62q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32
AgentTesla
2eac0d89fa316a87fdce6690c5fbe7706ad5cc91a5873589da4260c059fe6966
AgentTesla
51cd50a11b008b97589100b5233bf8ce7926dd49bb197ef45abd62788c5fdbcc
AgentTesla
666b4d8521af8e8c149431fea4f3fce4d859b9d102e894928edb0e005ad8153d
AgentTesla
69e1a15be2f6adc6268ec617568b3d2725122eb8d34873c23a7117b24e8b6854
AgentTesla
76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4
AgentTesla
8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95
AgentTesla
91e414276a656dc9276aab26d67944f915e2267cd2b1b746193b1fc3225aaeed
AgentTesla
b8214924a598b9fd3193099fecd6c3d09f06dc5e3a9af098642c7d5327c05cd3
AgentTesla
ba3b49260d4a7b2777b3fc983d532144bc7bab77e35f2608bbdc2854ab7a31d0
AgentTesla
+ 10'721 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware persistence keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-bzk94nmeve/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 40963de95497e3d48c255382690a7d18ec1b6f0f2b9c62cdafc830862ca97f4b

AgentTesla

Executable exe bc02f7f4317f67dcc9ef60b524498431ec0ef0b261f715c4b20371e423b30fb5

(this sample)

  
Dropped by
MD5 86ea2231c281e62531c25e4ac689f15e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13430/
  
Dropped by
SHA256 40963de95497e3d48c255382690a7d18ec1b6f0f2b9c62cdafc830862ca97f4b

Comments