MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc2ccf8c860b52e1f884ca8fad81e86cd9b6d65f1e0ae126e2a475069304fe3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc2ccf8c860b52e1f884ca8fad81e86cd9b6d65f1e0ae126e2a475069304fe3d
SHA3-384 hash: 3c583a3530b38bee3b2eaa9cfff4bec1935beaf3990d26df3fec2f815d659f94e8a8ea6587c9deb5bf787d01f1ad75dd
SHA1 hash: 1c2c36fdc78e4f34ce1532e0c0d442977f406eeb
MD5 hash: a480b8a9706499b3b5ea1874cd1d5200
humanhash: victor-monkey-double-idaho
File name:HSBC Payment Advice_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:457'911 bytes
First seen:2023-01-27 07:11:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:IYqajcxB+UiZkj0PVanPw5L6qloCVtaLgCLmcvJ:IYqycxf0kj09a19CVtaLgCLjR
Threatray 27'228 similar samples on MalwareBazaar
TLSH T14DA4E093F39C932EEEE854F2743D427041C6AF5B50A05E85B1C9FF7E20B685D29291D2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2d6d8d2722594c74 (7 x Formbook, 1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
HSBC Payment Advice_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-27 07:11:18 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/39529266-0ad4-4f06-8a15-f930f449f05b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357326/
Detection(s):
Win.Dropper.LokiBot-9984680-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Сreating synchronization primitives
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63374/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63d37944447edb203a015dbb/reports/5db51cb3-e7e5-4da6-a18d-f936b73f420f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/782bc52c-2b48-482b-985d-66a3348398cb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160052
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc2ccf8c860b52e1f884ca8fad81e86cd9b6d65f1e0ae126e2a475069304fe3d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 05:45:29 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqwm7degbnjod6eezkh23apintm3nvs7dyfocjxcur2qneye7y6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2b26307259d191635935137b332c6522fbbe7c7ddc141636fddbba2bac14f60f
AgentTesla
493ab622b2a06d2b28758eabf3762ea632cb9ca6b3b59d0fcda8dc025c8385a2
AgentTesla
4993d4dcf5bfec767f60d267c1e66c9578cf6f167cca42ee4a91912e3a732046
AgentTesla
70c7c374573397448b07b30890372fe0b9e764c2f88c1f199b80b9d7e563a5c6
AgentTesla
96c5bf3d91f626f33a0720ce3c1ffa3a27096c8c98e738c89fb200f0bb44a103
AgentTesla
b4ba731864409ac285826803a25e261d8fcb9678de8e5f1a5a5ca6716b323f8d
AgentTesla
e494b204a5493348b13f727b2046d1cffe8d054444b0476a53a24186dadc2f2d
AgentTesla
+ 27'218 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230127-hzzv8sae7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5731015181:AAEnN7QEEeN_fBCr0YFv_H7lrNpKS_lkspI/sendDocument
Unpacked files
SH256 hash:
273455604a5dadbed650ad78c06dc3cdaee82d600a181cfc2b5a380b1025748e
MD5 hash:
375ff2f2c11091e62f78a54e2af624c3
SHA1 hash:
bf5cac65bdbe2f7b1a2898088cd4ebed0297a75e
Link:
https://www.unpac.me/results/8c4ac8d6-80b5-47d6-8ac1-8e8f9c491fb7/
SH256 hash:
555558ee5801315214c5ba42fbe1f2954f3798c9b80b1b12a948dfaa9514233e
MD5 hash:
e8a046372a4a7e7c457fc598f04cfe0f
SHA1 hash:
2250376abb12a28d476700f544ef284a305f4c46
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/8c4ac8d6-80b5-47d6-8ac1-8e8f9c491fb7/
Parent samples :
1934d67c56986a33cc6a786899f4bca45886ef7ddcb1abcab4a8061e0abe1a5d
bc2ccf8c860b52e1f884ca8fad81e86cd9b6d65f1e0ae126e2a475069304fe3d
SH256 hash:
f95648cddc8afce78f4934c88aec2d659a01687ac01ed25042d3d82ef1e6f96e
MD5 hash:
c9a492fee6d36af7a78fbc24e91ad97e
SHA1 hash:
7960a43f66e1e4bd2d1cd2f2249b5cdd50b8cde1
Link:
https://www.unpac.me/results/8c4ac8d6-80b5-47d6-8ac1-8e8f9c491fb7/
SH256 hash:
bc2ccf8c860b52e1f884ca8fad81e86cd9b6d65f1e0ae126e2a475069304fe3d
MD5 hash:
a480b8a9706499b3b5ea1874cd1d5200
SHA1 hash:
1c2c36fdc78e4f34ce1532e0c0d442977f406eeb
Link:
https://www.unpac.me/results/8c4ac8d6-80b5-47d6-8ac1-8e8f9c491fb7/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc2ccf8c860b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc2ccf8c860b52e1f884ca8fad81e86cd9b6d65f1e0ae126e2a475069304fe3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bc2ccf8c860b52e1f884ca8fad81e86cd9b6d65f1e0ae126e2a475069304fe3d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/357326/

Comments