MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
SHA3-384 hash:	ab341f2e149dc4375b7cb9ba7ef3574276a822c305a703aae30cdc83d71e04e236fcf37e3fbe7a85473b5b884ff3ec94
SHA1 hash:	a55540a2de9308ef0335a10cd8687fddf18a951b
MD5 hash:	517e1e64693a0e671732b92c0c61b101
humanhash:	mango-sink-johnny-bulldog
File name:	TEKLİF TALEP VE FİYAT TEKLİFİ_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	584'704 bytes
First seen:	2023-12-15 18:28:50 UTC
Last seen:	2023-12-15 20:35:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:T2iNb0oLtwsSz07nE7zcURpZ6Dem9rPmyLZ4qF3Ku:T16gKscinAxYDem9bLLZ4qF3Ku
TLSH	T1ADC4233522D00B79EBB74BFA62AB61258B72740B4C91D9651EDD24CA0977B438300BFF
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TEKLİF TALEP VE FİYAT TEKLİFİ_PDF.exe

Verdict:

Suspicious activity

Analysis date:

2023-12-15 18:37:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fa576b81-e914-4060-8175-13469faadaba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Launching the default Windows debugger (dwwin.exe)

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/32e2102b-57c7-4362-8ba7-863f5b89c93b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1362936

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-15 10:04:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 37 (29.73%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xrcycqcrtmghzwdigdwjne76kdg22ha7e66o67btxqrurphmxalq._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231215-w4ww2aabb7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Unpacked files

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/5ea745de-52c4-43c5-a180-db18497c7c88/

SH256 hash:

e3b773a5e023cfe2a43eb15f0cb3144458b86c0e8845a74304425d8aca5434f2

MD5 hash:

04503238932b4746a6d9ba7706ef115f

SHA1 hash:

ccab6131c041e299643e42e0b9f30cc0ceb3a011

Link:

https://www.unpac.me/results/5ea745de-52c4-43c5-a180-db18497c7c88/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/5ea745de-52c4-43c5-a180-db18497c7c88/

SH256 hash:

1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c

MD5 hash:

ec5e9334f65168cce67cd57bc6391d0a

SHA1 hash:

4f2ac65623e89a9457cdd5fc51dc5d747b4830e4

Detections:

AgentTeslaXorStringsNet

MSIL_SUSP_OBFUSC_XorStringsNet

INDICATOR_EXE_Packed_GEN01

Link:

https://www.unpac.me/results/5ea745de-52c4-43c5-a180-db18497c7c88/

Parent samples :

be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63

SH256 hash:

bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817

MD5 hash:

517e1e64693a0e671732b92c0c61b101

SHA1 hash:

a55540a2de9308ef0335a10cd8687fddf18a951b

Link:

https://www.unpac.me/results/5ea745de-52c4-43c5-a180-db18497c7c88/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bc458140519b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample