MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd1c23d94bdfe89a70563dbb0d70a8fb95afd9baff89d2a515fc899cf7b0fbb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd1c23d94bdfe89a70563dbb0d70a8fb95afd9baff89d2a515fc899cf7b0fbb2
SHA3-384 hash: 7dc840fb3f5d79ed0fbc892e3db99f959ca67d2f98f81e5c0713a568133ece52cbe4fcae15f540f101c7f7580f6f0758
SHA1 hash: b5c8d8576780b199767210de81e19b2649c927fc
MD5 hash: 5168ede27cefa95e7b056a1354737dbd
humanhash: rugby-missouri-hamper-west
File name:5168ede27cefa95e7b056a1354737dbd.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:489'472 bytes
First seen:2020-12-09 11:12:51 UTC
Last seen:2020-12-10 14:20:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Jjes+Y0cJADDy9E7ztyZn9sTAsj8LTYr6O8:4cJADDty9suTQY
Threatray 14 similar samples on MalwareBazaar
TLSH 81A4E13222157B61E67E0FF4E01024444F746F2B6270D25EADC210DB35AF735BAA6EA7
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice&delivery20200912toxRG.xls
Verdict:
Malicious activity
Analysis date:
2020-12-09 09:45:55 UTC
Tags:
macros macros-on-open loader evasion trojan 404keylogger stealer
Link:
https://app.any.run/tasks/eb42cc51-66fb-4f3a-a7c7-20c39db2871a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107464/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.29660.21645.7069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558933
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd1c23d94bdfe89a70563dbb0d70a8fb95afd9baff89d2a515fc899cf7b0fbb2/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Suspicious
First seen:
2020-12-09 11:13:04 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3bbed2bec4921aca55a13e5ccf12147bb43f164a915e9b1b0a0bfb9a54954409
AgentTesla
4b7f3dd2d5f108a5479549dc729ff56a75edd171899c239b541581edba007d0f
AgentTesla
5937bc1b0a10214a09f0bd7fd6987d42bba86748ce52bca41adfd8c7021ca6bd
AgentTesla
72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f
AgentTesla
875aea5b79d8765ad4b6637618d5dfa3c6f99b4f0660c08c31343f0996dffd07
AgentTesla
8c26bff4e14c534089c565e1623fbdb1109285fa768e19e48fbde2d656358d4f
AgentTesla
8dd80fcf3dfd0cbc6c82a1f9154ed99e2cb6fea34d1384289f5a40064f207720
AgentTesla
c5cc30ea5b9f4701271672d38c1199c0e9bcc8db08aabd8addc1c92a36b248fc
AgentTesla
f2b42eb3928d053d687ed2b8e81948972ba452d2e5eac013a32f55a71e1ff2b9
AgentTesla
f36eeb335a9d18ff16f6b1869f45a0f81d44f93706fd2d39d4568d8d2e694ca3
AgentTesla
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201209-qzxf9d1h7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bd1c23d94bdfe89a70563dbb0d70a8fb95afd9baff89d2a515fc899cf7b0fbb2
MD5 hash:
5168ede27cefa95e7b056a1354737dbd
SHA1 hash:
b5c8d8576780b199767210de81e19b2649c927fc
Link:
https://www.unpac.me/results/3e9594c7-d7c1-4e61-8209-69fd67c6462e/
SH256 hash:
89c61189ea0f009e7d620d0af641bb518ae0ea0e3bae024140a7b7bab47a03d2
MD5 hash:
1c989ede07cedf437ec4bc5bcd33e076
SHA1 hash:
10339f06b6f43f370f2e2364573e12432c019277
Link:
https://www.unpac.me/results/3e9594c7-d7c1-4e61-8209-69fd67c6462e/
SH256 hash:
fbb4b481abf097b1ed40a5b6a231d059c4ffb8ab4b32d644fb2751a68e1f20a8
MD5 hash:
23222c9deaebfa57cda4ea49460a9fcb
SHA1 hash:
26f8e82df2a851091dfaccd52f892732abcf906d
Link:
https://www.unpac.me/results/3e9594c7-d7c1-4e61-8209-69fd67c6462e/
SH256 hash:
3620fdd4bc5bbd205467398c8fbd23697a752c1e6f24790ca6696c01ce63110f
MD5 hash:
8f6de353c17aa1dde5e9dafab3e471ff
SHA1 hash:
8a916b5e32ffcaf32b13a106926102fd06f7bd5e
Link:
https://www.unpac.me/results/3e9594c7-d7c1-4e61-8209-69fd67c6462e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd1c23d94bdfe89a70563dbb0d70a8fb95afd9baff89d2a515fc899cf7b0fbb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bd1c23d94bdfe89a70563dbb0d70a8fb95afd9baff89d2a515fc899cf7b0fbb2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/901865/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107464/

Comments