MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec
SHA3-384 hash: 83b133e746d79a218efad95a79de4fb0022aecc9c6ba6c3313e440dc0b33643edb44a0d24939a6d486edec1bee328697
SHA1 hash: e34e880e0418e43b1a0bd3cfc06cf5674d4f9bef
MD5 hash: 6cdfd08cb1d353a93fbaf822060f9d7d
humanhash: double-kilo-north-kansas
File name:inv# BM-032720W.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:725'504 bytes
First seen:2020-10-13 05:49:48 UTC
Last seen:2020-10-13 07:08:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:0uL0xuTLAuFOpVFp3OUBz/0ys0A72BvsQ6pcy37xKlTQ6vXYnZog:7BwpVFp+UBz/U0A7s0QMchTQ6vY
Threatray 489 similar samples on MalwareBazaar
TLSH 1AF4028532BE6BA6C57E47F45A3604501BF4321B3412FB8CAEC264DF7C31FA49256A63
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: partech.com.tw
Sending IP: 45.137.22.72
From: 昶誠 Elsa Tsai <Elsa@partech.com.tw>
Subject: Re: Invoice for the next delivery to BMW Berlin (Partech)(Inv# BM-032720W)
Attachment: inv BM-032720W.zip (contains "inv# BM-032720W.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70262/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.31230.9316.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489193
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 04:14:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtwsbaw4ozwqdpf3hmnnrwr3nzeczkxpna2ejj3pvwz32vb5e3wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
2527df2823de3eba2ed8f38e433938832ce4d887d843efcb21a860bbd8a14908
AgentTesla
459838dd5e98a4fe8c51d2d0c3c7850319b1a13cb41f568aa0cf6cb0bba6e9ef
AgentTesla
62ddfbbb9039c0671aa08af5d0fdd0fe949eb96e435c631a57e931e4b19743a9
AgentTesla
8f416a96a4a8475bd8486d264aad1bb73ad020db8e7e1d0f268432684096511b
AgentTesla
b29a4f0435f0d54c78c34e1b3d86cdb9b81996ee0e1c50f51a3d0716deee3ff5
AgentTesla
bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828
AgentTesla
ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f
AgentTesla
e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12
AgentTesla
e0693087d46213280ce4281058ff53b07f433a9b07f4eaebf41314dd724f8e73
AgentTesla
+ 479 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201013-dl5ypay286/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec
MD5 hash:
6cdfd08cb1d353a93fbaf822060f9d7d
SHA1 hash:
e34e880e0418e43b1a0bd3cfc06cf5674d4f9bef
Link:
https://www.unpac.me/results/27efc21c-5655-48e0-bae6-ae751b841470/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/27efc21c-5655-48e0-bae6-ae751b841470/
SH256 hash:
8a9a3d775392364d8125471faf4e6255f1c4f7e8f26d845023942c4def7ce016
MD5 hash:
3a48cec56f854deb1aecb78223f575fa
SHA1 hash:
c42b94b78e5a72935ed714d55606e451ec0012bb
Link:
https://www.unpac.me/results/27efc21c-5655-48e0-bae6-ae751b841470/
SH256 hash:
199ece37db387bb84f737f438172c01301d6b0ff4bfb2dececac954706eaa95a
MD5 hash:
66de51c3f3cf0af15f2b1fe993c2c880
SHA1 hash:
d62f22d1ed6b1b92c5a85de2000c7fd6db653db5
Link:
https://www.unpac.me/results/27efc21c-5655-48e0-bae6-ae751b841470/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip da6711a6102657b7af81f947425cac9890d18bd67e9e09dd5cc6617d8f3c65fb

AgentTesla

Executable exe bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec

(this sample)

  
Dropped by
MD5 202c68fca9eaea0699ba2147ac49a216
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 da6711a6102657b7af81f947425cac9890d18bd67e9e09dd5cc6617d8f3c65fb
Cape
Cape
https://www.capesandbox.com/analysis/70262/

Comments