MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf
SHA3-384 hash:	d9515a0c1381504b6a81b320128c6221bbcca9f5008e80886cb8fe7d00803e71151cac749c5b690e1d927d3eb6b91e61
SHA1 hash:	b501f1ae86d25289f775e22b7aa7a9b097aa41f6
MD5 hash:	78d33860fdeaf3d6c5949135869dc472
humanhash:	one-alabama-kentucky-winter
File name:	DHL GÖNDERİ BİLDİRİMİ_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	721'920 bytes
First seen:	2023-05-25 15:23:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:VWumzZBEP85ZWZ5BYc3ZCBLmrwKttQgrxkc5eaAnvN1qNjP5Lqo9MV+lsL7yMjaT:O9BEP8kB9CFCX9rxkM+nF1qtP5LqDyJ
Threatray	2'072 similar samples on MalwareBazaar
TLSH	T170E402613A683F16D13AC7F948303AB853FF6A6B7132E3966DD760CBB165F410A00987
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	AgentTesla DHL exe geo Telegram TUR

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL GÖNDERİ BİLDİRİMİ_PDF.exe

Verdict:

Suspicious activity

Analysis date:

2023-05-25 15:28:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bb6a6897-76a0-43b6-9ddd-e8d0cef54cc4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/391714/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2048.11489.15089.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/646f7d94c86650c08f128092/reports/d60d250d-91ac-436c-8835-b735cd03ed71/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/64e9d2ce-8ebf-44e9-b81f-41907a68f28e

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1242555

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Generic Downloader

Yara detected Telegram RAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-05-25 15:24:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xsjor4nram5rujslke7sw4iyibabjar6ooxhen7zw5kvoeml53hq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3b282e85f1c3566bd088c73a424801f1fc47c6655a067b4e3534f07b4303e288

AgentTesla

8005c1f11765b2f062b741afe29c062901a5603959d8334ca14421a3426d7526

AgentTesla

88c915fc9b19666779df6aa7bf4be92a7bc293ba9a00269ae1e83f2605a54f50

AgentTesla

9bfcddc5558b99ca104647f9f65f6eeb585d7eada6a786e841ff71d9a7a4c682

AgentTesla

a7cbbba4240bca662bb18a1b8f3de13c839b3714ca8a869fb5c99dda91f43913

AgentTesla

b0f2f1f1ca40e62865e6e6024ccb5ef8691431c037289e5544ac69230d9b943d

AgentTesla

b9129e7533b6b2e4db2b5a65399e6761987c2d3d260ac6be681b02948544b565

AgentTesla

eafd24a879b0e1458630666c4dbcc4f20c14a00b48525d05ef6055312085c10d

AgentTesla

ed4b9afcb717295f5fb71bcc6f408dbbed12c6858ee2f20a1f7bd2ab72074fc6

AgentTesla

+ 2'062 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230525-ss15tsbe7x/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Unpacked files

SH256 hash:

0e3ba3570cd3c9f0afa830428d986f8f4e7da46b741e638c0a18bb909823986b

MD5 hash:

bf743d44a73039a66ff3b089e5c03ef6

SHA1 hash:

af67bd36f390119445605accc0231497a2a7a0f4

Link:

https://www.unpac.me/results/84672f79-d94e-452d-be8e-5b3d4867b1cc/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/84672f79-d94e-452d-be8e-5b3d4867b1cc/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

b2876080a8892ec02a11cc322cc18952d45f9e419c1cb6d4d070860c59fe87eb

MD5 hash:

803e0c67b76960ff5d9ccb360ba9636b

SHA1 hash:

836d339682618638c6b2e3d156ad66a56e4f9ba5

Link:

https://www.unpac.me/results/84672f79-d94e-452d-be8e-5b3d4867b1cc/

SH256 hash:

136019e13a4777ed649fdf0f061e4ad169c91fc210a979eb29b22bc26c56223b

MD5 hash:

7aeaa422e0d009c69824cba4de40c79b

SHA1 hash:

40ff36f198bc61b6151f28451f24558e511042d2

Detections:

AgentTesla

Link:

https://www.unpac.me/results/84672f79-d94e-452d-be8e-5b3d4867b1cc/

Parent samples :

c69020d319adad3cbafcc89ed03083094e1484ff9b473b70434e2be28f4eaaf6
f6a5112b969d1fa88dbd095df950e3b586b00166c857656c1da21685ab94e093
4164d3bec950ac04c1a2e8edc8b4bccc4526daa5400e011c2622e9b08c720901
74364dacad18ae5d6930c6b8d3c41210ef3d3c2c7899386c2b2c17d7c84142ec
4c88e26f710c4aec376be1d0162bc0edbb5dc0092f5c786c9f5c15b4c5bc9706
b153261c18823db96bfd055e398bac3f7c3853aaa006c2017dc17d13e49e23f1
b90d614aa6a712c1c1ae460f35a852005123f2719fa15faf1837e90a8b138d2f
ed4b9afcb717295f5fb71bcc6f408dbbed12c6858ee2f20a1f7bd2ab72074fc6
ee215a3ddd28f9c0599ade58c8e18c1735abe7fd9883fe846ce480ced27aa663
9bfcddc5558b99ca104647f9f65f6eeb585d7eada6a786e841ff71d9a7a4c682
c67f1aa3ba774093756918e8dc2a2064e1d8e39a91f09c01d55ad38e73ef5a3e
a7cbbba4240bca662bb18a1b8f3de13c839b3714ca8a869fb5c99dda91f43913
bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf
f9310537144e0d9dac0a50fee380fa07322354e9248454c1bb60144c8bfd22cd
cf44163e574fb84c598bd3a738aac3119c0f64cc7c6fce5739faca7ea9158bcc

SH256 hash:

23398fa61772bb8ac8ff57b757ab185517d5effb02476b0962491acbf1a57b19

MD5 hash:

8f2e82527aad26758c0c24b89e41326d

SHA1 hash:

10387a5d26ecd62d36b79559b7f0c2a81663cebd

Link:

https://www.unpac.me/results/84672f79-d94e-452d-be8e-5b3d4867b1cc/

SH256 hash:

bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf

MD5 hash:

78d33860fdeaf3d6c5949135869dc472

SHA1 hash:

b501f1ae86d25289f775e22b7aa7a9b097aa41f6

Link:

https://www.unpac.me/results/84672f79-d94e-452d-be8e-5b3d4867b1cc/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bc92e8f1b103/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/391714/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample