MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
SHA3-384 hash: afc0c879bf3dd7cd434bedcb238835f37cc30faa462b560f6305145c0483ed4764fcd0189c2923c1ab2ed1d4790d0917
SHA1 hash: e10d60efdf776a24201e8983d822e1c1da1def97
MD5 hash: fe849766195a6d7581ecac3b6c9fb82a
humanhash: wolfram-eighteen-fish-connecticut
File name:SecuriteInfo.com.generic.ml.13800
Download: download sample
Signature AgentTesla
Create hunting rule
File size:459'552 bytes
First seen:2020-09-24 11:58:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'448 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:nxEp/E3R/En9xdfb4VlYBGxsmHeo19SIls73n+88/RUr:xEp8ixsKm+odKOir
Threatray 91 similar samples on MalwareBazaar
TLSH E3A42990A3E8C56AF4B71FB12CB6982119BB7E5D6CB0C60C2159371E5BF374050AAF1B
Reporter SecuriteInfoCom
Tags:AgentTesla

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Sep 24 06:26:54 2020 GMT
Valid to:Sep 24 06:26:54 2021 GMT
Serial number: 52E968C06799E644A2EE342C90DC2814
Thumbprint Algorithm:SHA256
Thumbprint: FBF80F6C506EBC23296AA5EDAB95A798917703901B65CF10C7BCE0C80FF448B4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65363/
Detection(s):
SecuriteInfo.com.generic.ml.13800.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/474209
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 289550 Sample: SecuriteInfo.com.generic.ml.13800 Startdate: 24/09/2020 Architecture: WINDOWS Score: 100 66 Antivirus detection for dropped file 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 7 other signatures 2->72 7 SecuriteInfo.com.generic.ml.exe 17 4 2->7         started        12 SecuriteInfo.com.generic.ml.exe 2->12         started        14 SecuriteInfo.com.generic.ml.exe 2 2->14         started        16 SecuriteInfo.com.generic.ml.exe 2->16         started        process3 dnsIp4 52 paste.nrecom.net 7->52 54 server5.nrecom.net 37.120.174.218, 443, 49720, 49725 NETCUP-ASnetcupGmbHDE Germany 7->54 46 C:\Users\...\SecuriteInfo.com.generic.ml.exe, PE32 7->46 dropped 48 SecuriteInfo.com.g...exe:Zone.Identifier, ASCII 7->48 dropped 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->76 78 Creates an undocumented autostart registry key 7->78 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->80 86 3 other signatures 7->86 18 timeout.exe 1 7->18         started        20 WerFault.exe 23 9 7->20         started        22 SecuriteInfo.com.generic.ml.exe 2 7->22         started        56 paste.nrecom.net 12->56 50 C:\...\SecuriteInfo.com.generic.ml.exe.log, ASCII 12->50 dropped 82 Hides threads from debuggers 12->82 84 Injects a PE file into a foreign processes 12->84 24 SecuriteInfo.com.generic.ml.exe 12->24         started        27 timeout.exe 12->27         started        58 paste.nrecom.net 14->58 29 SecuriteInfo.com.generic.ml.exe 14->29         started        32 timeout.exe 1 14->32         started        36 2 other processes 14->36 34 timeout.exe 16->34         started        file5 signatures6 process7 dnsIp8 38 conhost.exe 18->38         started        40 conhost.exe 27->40         started        60 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.109.69, 443, 49749 AMAZON-AESUS United States 29->60 62 nagano-19599.herokussl.com 29->62 64 api.ipify.org 29->64 74 Installs a global keyboard hook 29->74 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886/
Threat name:
ByteCode-MSIL.Infostealer.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-09-24 09:22:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqxahsrjfwrqkybmq5kukp5iobzycctdlhzozgqjgx7dxni67cda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19b7ae6956a38825ac143952843f6e046c642a9dc635e18d4f84dcff4568c142
AgentTesla
2f3474e57e4d3df1cedeef87e3716fa9143a63cf7ffdd9273273f41c8a8bc223
AgentTesla
3c359f5677b780cc968723ceca8310ed20ae4bf691bd9900c7d334303b101776
AgentTesla
7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873
AgentTesla
a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd
AgentTesla
c9692914eb11d2c1cfb26bae5877943c1769994f857f0aa85b8c8f5064a2f042
AgentTesla
cf22a4ba35e94ec83bdf1aec7b4422009aa33f7c6a2c707513d7b1a9eafb368c
AgentTesla
d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0
AgentTesla
dc4eaa151b01375e0ba2392396b60e6abebab99e5590c93ab23ee3063aba5eb5
AgentTesla
e03c4f9c8ae0b28a7538315c3af97428339911bd6118371c0459adfd14abca44
AgentTesla
+ 81 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/200924-a57bdbe1q6/
Behaviour
ServiceHost packer
Unpacked files
SH256 hash:
bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
MD5 hash:
fe849766195a6d7581ecac3b6c9fb82a
SHA1 hash:
e10d60efdf776a24201e8983d822e1c1da1def97
Link:
https://www.unpac.me/results/e311b0a4-e9e0-4352-ba48-63ce6a4eb862/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/65363/
  
URLhaus
https://urlhaus.abuse.ch/url/609609/
  
Delivery method
Distributed via web download

Comments