MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcad50b3c7baf6c886b6a97aacdc8639c524d652b4ebc683fc871518f4afdbd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	bcad50b3c7baf6c886b6a97aacdc8639c524d652b4ebc683fc871518f4afdbd8
SHA3-384 hash:	1f9e1ad613bf8e908d7e3c0cf1e557fc2aa5f47a3dbd1aa24205bc0e71cc2332b421341059f0e6bafef08bd258362a14
SHA1 hash:	73283320ce7e68e5355e02bf08f86d2d523df5b9
MD5 hash:	a73f295a352b42ffb25c398bd7694f59
humanhash:	pluto-connecticut-magazine-cup
File name:	Invoice86.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'821'696 bytes
First seen:	2021-05-14 05:49:46 UTC
Last seen:	2021-05-14 11:43:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:iHAd8ODZD+tFKCygtybTp1pcjrKp6sY1BqxC0AyowPI5LKWtz/mgoyJT:OAsHKJgtmp1pIzsY1Opqlxm0JT
Threatray	4'935 similar samples on MalwareBazaar
TLSH	0C859E121B050F5CF03DABBDB436540987F87E45F3E4EE5DB8A939D8277AB028D4A252
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Invoice86.exe

Verdict:

Malicious activity

Analysis date:

2021-05-14 05:50:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/95856027-987d-48ec-b7a1-3d69866e06e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/156408/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/781591

Signature

Contains functionality to register a low level keyboard hook

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/bcad50b3c7baf6c886b6a97aacdc8639c524d652b4ebc683fc871518f4afdbd8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-13 10:53:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

147

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xswvbm6hxl3mrbvwvf5kzxeghhcsjvsswtv4na74q4krr5fp3pma._file

Verdict:

unknown

AgentTesla

674ab7cd2376e31a811469d50be263894d78b14c826b02a61b7da6069481522a

AgentTesla

7bcd067c0a67a7a6e2c3f3079b626afb4f9ab1b8643b50dce1a69cd94fdab4ee

AgentTesla

9057936347c73028c880c06c0f41c373e3db3b75085f5b8da60966025c545d4b

AgentTesla

9565ebcbb8cc07c12a28b5492741c237c0574758c6d033216bb10dc83bf21335

AgentTesla

b1617ffb1927fe6176fbffc4ebb242635c19bb656811967cba47493a4a43a580

AgentTesla

cd33314417e59031e5fb210cd40ce59202160d1a711c9e55fe1c3b04dc7431a5

AgentTesla

d6ff339c056def1d5e03ecbfea9e55dbd8f556885b2fdcce27ddff7e040152c8

AgentTesla

dc688750bac89efbc67a9953b71351ab3b59551e0d293602ca3baaf75f8c5d71

AgentTesla

dce8c2e5bfa677c2971dd88a020fb27193c11fc9759fbe9ed52704fa7ec9f7f2

AgentTesla

+ 4'925 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210514-t115cgagpn/

Behaviour

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bcad50b3c7baf6c886b6a97aacdc8639c524d652b4ebc683fc871518f4afdbd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	hancitor_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fc22d2993f9ab652ce83aa6cd050c027c68d2b756d9dff54dd6e0d9cbdd832d9

AgentTesla

exe bcad50b3c7baf6c886b6a97aacdc8639c524d652b4ebc683fc871518f4afdbd8

(this sample)

Delivery method

Other

Dropped by

SHA256 fc22d2993f9ab652ce83aa6cd050c027c68d2b756d9dff54dd6e0d9cbdd832d9

Cape

https://www.capesandbox.com/analysis/156408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample