MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857
SHA3-384 hash: e1c9cce63cfd8bbe14e1235b39c4e2e71f1e9c5582a2e91169f654518789cafdd50a2dcefda846784ed4cf71ed10915e
SHA1 hash: b44303c20c81cfb1777029653bed50fe8a6aee03
MD5 hash: 8d28724369496d29fd73c63dec780211
humanhash: golf-march-emma-hot
File name:SecuriteInfo.com.Trojan.Packed2.42850.16708.25331
Download: download sample
Signature AgentTesla
Create hunting rule
File size:603'648 bytes
First seen:2021-02-22 16:50:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:RoDE68PhrcxnsiTQa9cx534QzOKfvF/iacfYBZ4KHbhSaCNkmqqeYHC:RouhTeqxpzOK3LPHbhHUe
Threatray 2'817 similar samples on MalwareBazaar
TLSH 0CD4229232E4BB61F0BE5BF9A97400002BB1B9158476EF6C0EC174EE5971BD086A1F33
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ali.exe
Verdict:
Malicious activity
Analysis date:
2021-02-22 14:49:57 UTC
Tags:
rat agenttesla trojan
Link:
https://app.any.run/tasks/3695b90e-4539-4a07-bf90-80ceadfc3fe7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118359/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42850.16708.25331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614330
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 11:59:03 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsuerl5kqn7pcp5rbf2zsaozgchndlys3nx33vk23d2o5bl4nblq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17e6d7c107027e70986b47c51333b519c0c4b779f0c010462bfaaa740e7e7b18
AgentTesla
30e4bee5bf128236c294ca4c6a6218ed812ae24eef0749356a86ca499a260713
AgentTesla
379cb7e16563b36644d8ffee8ae650e59fff7241835f129d9b5436279d90a6e5
AgentTesla
4a9558166c80c188e48a382edbe91a387a7e3aa877d035420bb0e7b198eccdfe
AgentTesla
6e811c6d2e8ea028d3b5aa94119971abdf9a45c7728e72fefdffc5c17c0d436f
AgentTesla
7c38652e82dd9a34d66d7f2086b55bd88db405974eed27dc8ac5ba3f15616729
AgentTesla
a223c2fb94ee1f33dbef1176a1d996935b251de30a65a37773e6fdcf8764aab9
AgentTesla
a5117eb684d040eb8b71762d4bf70e8e1aa0bb3b228246f5141a3beb4cdf0463
AgentTesla
ac4ebd8295be6f09df1b5c68d0ad49643d19206ce9e750ed47029331968298c6
AgentTesla
e49ea9c326ce0cfcf7c4795428cda9d52da65c670a31748b1cb067b14d6a3c83
AgentTesla
+ 2'807 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210222-93dg8q49dj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/18c2df17-2893-4243-b0fd-086fa9155f1c/
SH256 hash:
1b80fedfc103caa88a88728c3589725aa6a89f188be463b5cde345e23774e0c9
MD5 hash:
e046cc9b186e2cc1f76eeb759a11920a
SHA1 hash:
57da72bea28186d3a4d67f6cef383bc605539f50
Link:
https://www.unpac.me/results/18c2df17-2893-4243-b0fd-086fa9155f1c/
SH256 hash:
8c3642169b28231b0db5122b36e12d22b52f1f4063fbfed05714e9c461fb89d0
MD5 hash:
e9525a40ec28fac98d8a47b43af91481
SHA1 hash:
e809dbdc0d71491ed576a33d6fce38c95a4755c6
Link:
https://www.unpac.me/results/18c2df17-2893-4243-b0fd-086fa9155f1c/
SH256 hash:
bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857
MD5 hash:
8d28724369496d29fd73c63dec780211
SHA1 hash:
b44303c20c81cfb1777029653bed50fe8a6aee03
Link:
https://www.unpac.me/results/18c2df17-2893-4243-b0fd-086fa9155f1c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bca848afaa837ef13fb109759901d9308ed1af12db6fbdd55ad8f4ee857c6857

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1024029/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118359/

Comments