MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc5d82859d4b7c567fa029977042a8e6629a2d1b3afa92b6f52a33d3006a068b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc5d82859d4b7c567fa029977042a8e6629a2d1b3afa92b6f52a33d3006a068b
SHA3-384 hash: b47679e80ecac4c151a2c64bd22e72638c0fc9777992f681cd397fe45eec90f9c0e6623fb3ba4966369dfe06ba01be29
SHA1 hash: 4e244ad9f56a36436df87d254409d4c1f18f703c
MD5 hash: f57efce1d4d598fe588222053b7d0af1
humanhash: bravo-butter-colorado-table
File name:Drawing for New Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:862'720 bytes
First seen:2021-07-19 10:07:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:19Pei42L46EdiAV8iGEAS+Fmq8cqX6lp2iXVpv:1B02L49Oir+ZRIip2Ev
Threatray 7'017 similar samples on MalwareBazaar
TLSH T18105D03382600A9BD3BA51B4D0011101F6F5868BB393F7767DC868D5B1F9B6A87F352A
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Drawing for New Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 10:02:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81243fc6-421a-460d-9e86-38a412588c22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172517/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1976ca93-b7a6-452b-b52f-baf98ee13968
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818178
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450589 Sample: Drawing for New Purchase Or... Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 12 other signatures 2->80 7 Drawing for New Purchase Order.exe 7 2->7         started        11 Mymp4.exe 2->11         started        13 Mymp4.exe 2->13         started        process3 file4 52 C:\Users\user\AppData\...\qqFRrpuZGcAnfs.exe, PE32 7->52 dropped 54 C:\...\qqFRrpuZGcAnfs.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpE48C.tmp, XML 7->56 dropped 58 C:\...\Drawing for New Purchase Order.exe.log, ASCII 7->58 dropped 82 Adds a directory exclusion to Windows Defender 7->82 15 Drawing for New Purchase Order.exe 7->15         started        20 powershell.exe 23 7->20         started        22 powershell.exe 24 7->22         started        30 2 other processes 7->30 84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->88 90 Injects a PE file into a foreign processes 11->90 24 powershell.exe 11->24         started        26 schtasks.exe 11->26         started        28 powershell.exe 11->28         started        32 2 other processes 11->32 signatures5 process6 dnsIp7 60 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.224.49, 443, 49733 AMAZON-AESUS United States 15->60 62 nagano-19599.herokussl.com 15->62 64 api.ipify.org 15->64 48 C:\Users\user\AppData\Roaming\...\Mymp4.exe, PE32 15->48 dropped 50 C:\Users\user\...\Mymp4.exe:Zone.Identifier, ASCII 15->50 dropped 66 Tries to steal Mail credentials (via file access) 15->66 68 Tries to harvest and steal ftp login credentials 15->68 70 Tries to harvest and steal browser information (history, passwords, etc) 15->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->72 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bc5d82859d4b7c567fa029977042a8e6629a2d1b3afa92b6f52a33d3006a068b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 23:52:14 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xroyfbm5jn6fm75afglxaqvi4zrjuli3hl5jfnxvfiz5gadka2fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01330ada2211171d1bb5db977363a94cea239c455ea8c2fabea401a29b1c8143
AgentTesla
20dbea65f9ea5d713ead877a8fdca2bb606af820520ea99fafcef39fc7652ce2
AgentTesla
2ff93944081c104e8175f5209255c50e92d65f8a3e35fbf01c5f6f46237575af
AgentTesla
431c9f8b4b58782d7f9ebeccb1b3a18357667fef8293571cf01aa72f98720df2
AgentTesla
6609cf9b0aefabaaf1bccc04237e6ff32315960166bf4aa2ff5372cfb51c80d3
AgentTesla
8fcd181aee4fcb60aa5769acde96e8154ad99c054b10d195163116df1fb3f8e1
AgentTesla
ad39169af0ebe9afeba1bc9947951d8235f938f95fb266282860115bc1cad4a4
AgentTesla
b1f530942db69e2f7a2823abab2ecc03eaed957101e7e6a7b53af823765df3a7
AgentTesla
c992c0fa62a6de01d5b1eaabd3d4ad932293792603269198a347c1eea940387c
AgentTesla
e3dbadc32e9e198eb9c03b3c8a29bb4569838eb7089ed761aea6a496eb8f8157
AgentTesla
+ 7'007 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210719-na3b5ygk62/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ea9cf74af89c83aafb1e844ba2f29303bb58bb1cbdf3f5088526933ca9651ec7
MD5 hash:
e4d59bdb75c9a0bf7d5ea1bcd222cf5a
SHA1 hash:
b3f92ee5e50054f5767b6bc9b8daefa93c79be6d
Link:
https://www.unpac.me/results/bc12cb3b-0462-483a-815c-44dfda75baac/
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/bc12cb3b-0462-483a-815c-44dfda75baac/
SH256 hash:
152ead58d1312e7929b42bf2ac6462c4c65802d3565bbb19f0da2c20ac5f6725
MD5 hash:
8ca7c135c8dffe3258e517856d429071
SHA1 hash:
859c5da334feee5e617cd2a37345ee14aec7386c
Link:
https://www.unpac.me/results/bc12cb3b-0462-483a-815c-44dfda75baac/
SH256 hash:
6183d2fab0a0729e78e246503d0c59856886d94e997aa244226e63c26c63337d
MD5 hash:
fd8e003781782f2eb0aa24826baa3a63
SHA1 hash:
4e754eb37e19895403f8cbbdbe427c0f29a0c408
Link:
https://www.unpac.me/results/bc12cb3b-0462-483a-815c-44dfda75baac/
SH256 hash:
6f02ba3ef49350a141f2cd1f7ffedceaa91d6bd23d39f04096977c01afabc62a
MD5 hash:
2ad3b6fcda2e43daef6cf07661e41a7a
SHA1 hash:
1e66ff628c6086e2c23cfbcbb0d0891a5cf9d865
Link:
https://www.unpac.me/results/bc12cb3b-0462-483a-815c-44dfda75baac/
SH256 hash:
bc5d82859d4b7c567fa029977042a8e6629a2d1b3afa92b6f52a33d3006a068b
MD5 hash:
f57efce1d4d598fe588222053b7d0af1
SHA1 hash:
4e244ad9f56a36436df87d254409d4c1f18f703c
Link:
https://www.unpac.me/results/bc12cb3b-0462-483a-815c-44dfda75baac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc5d82859d4b7c567fa029977042a8e6629a2d1b3afa92b6f52a33d3006a068b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172517/

Comments