MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcd0dfbf47d031ace8308fb63b52b88365db738270b37cae3042c71a6f3875b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcd0dfbf47d031ace8308fb63b52b88365db738270b37cae3042c71a6f3875b8
SHA3-384 hash: 47e836501f0fe4161c5394b59f3d2124530a261093c17f723858f1c0625f1a3c35e2824b4c1855481c86bfb187f01920
SHA1 hash: 8c4e29cbe5e659d6a8ef933bc6d1681bf8c7f1d7
MD5 hash: 690108f637456923feeb43667e61a6fa
humanhash: apart-princess-hot-double
File name:Machine Specification.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:631'296 bytes
First seen:2021-10-04 11:12:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:CV3oGEXxlPGyYiYs67QQ4OTC/SLQdA8QaiPCJT6YashlM0JT6YashlM:OahVGyte//LOl9ashlV9ashl
Threatray 10'650 similar samples on MalwareBazaar
TLSH T147D4F19D13AB5644FDBE87F5B87091805BB2B8272409D73C5E8028ED1C737E48AE5B63
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Machine Specification.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-04 11:13:41 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/38a49263-e823-4169-b103-ebbac56b6946

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194573/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c0f81b95458900cdc6029/reports/e4ca57a0-d689-4ddb-b300-0c113bf19633/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/729f4306-3304-4bf5-873e-593926af7e11
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863851
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496278 Sample: Machine Specification.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 27 ftp.northsrockusa.com 2->27 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 7 other signatures 2->43 7 Machine Specification.exe 3 2->7         started        11 newapp.exe 3 2->11         started        13 newapp.exe 2 2->13         started        signatures3 process4 file5 21 C:\Users\...\Machine Specification.exe.log, ASCII 7->21 dropped 45 Injects a PE file into a foreign processes 7->45 15 Machine Specification.exe 17 5 7->15         started        47 Multi AV Scanner detection for dropped file 11->47 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->51 19 newapp.exe 2 11->19         started        signatures6 process7 file8 23 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->23 dropped 25 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->25 dropped 29 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->29 31 Tries to steal Mail credentials (via file access) 15->31 33 Tries to harvest and steal ftp login credentials 15->33 35 2 other signatures 15->35 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bcd0dfbf47d031ace8308fb63b52b88365db738270b37cae3042c71a6f3875b8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 09:48:49 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtin7p2h2ay2z2bqr63dwuvyqns5w44coczxzlrqildru3zyow4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3529f437801eed53684a28376fa14332cf44a3b8396e8473bccdb92bf2fedb25
AgentTesla
4994562a8195097940cac88cff7737d8d990189acfdc2e1bc2f0133428304593
AgentTesla
8642bef0da90b39eff7e2f28570d28aa2a9aaabcd181c9f64bcfbdd331a606f1
AgentTesla
8c63a7665a27d47e20bd74c4aaba5cf4a76d981bfd52820f935efd097dcfda3d
AgentTesla
9ee852c4dcad25ccc76de768f756f63c0c49fa41eea3c5e9a01b31e8741dadfa
AgentTesla
a399844738311c40578a974578232bb9c46b488a3011baf4770a77744abf818d
AgentTesla
b26bfa277644c0c5eb8fa1a8bc4734131ab15100d81b2d5a1dc9aaee1fd2a23a
AgentTesla
cfc69df3b5f41ee92180b939f1619afdda4d7986e740fd2fa581d09442e453c1
AgentTesla
db7c19e4dfdcce7817b7a6608b3d800668ec0ac950962e3a01f6159b4cf4a9d9
AgentTesla
e257d47b4824f3ec42b8c554f85cde0da89c359fecedc38be112da8724806576
AgentTesla
+ 10'640 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211004-nbdwragcdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
7e028c3077f4599c9d4b87edf3b24931915c27df60ae5797ba0f077f53b0ff4b
MD5 hash:
88e448c9dedcc12ff1e5a7c5f85d7a8a
SHA1 hash:
e78cc9eb1ddaac5f60647cae84d1fd0a53d32f6d
Link:
https://www.unpac.me/results/0707f36a-0294-46bb-a0d4-67fb8233e43a/
SH256 hash:
0ddb203921ae2d605e17a5df643d08cc0f20c245b43d68aa4796369502327553
MD5 hash:
e73bda086600b7202904e55c0849b56f
SHA1 hash:
785bbd0e0ce83af37d500694497d94d3910436ac
Link:
https://www.unpac.me/results/0707f36a-0294-46bb-a0d4-67fb8233e43a/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/0707f36a-0294-46bb-a0d4-67fb8233e43a/
SH256 hash:
bcd0dfbf47d031ace8308fb63b52b88365db738270b37cae3042c71a6f3875b8
MD5 hash:
690108f637456923feeb43667e61a6fa
SHA1 hash:
8c4e29cbe5e659d6a8ef933bc6d1681bf8c7f1d7
Link:
https://www.unpac.me/results/0707f36a-0294-46bb-a0d4-67fb8233e43a/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bcd0dfbf47d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcd0dfbf47d031ace8308fb63b52b88365db738270b37cae3042c71a6f3875b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bcd0dfbf47d031ace8308fb63b52b88365db738270b37cae3042c71a6f3875b8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194573/

Comments