MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd557f84277a8c9f4098474f8449c78ca3c5afa108215ae44fb61668b2c0cfba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	bd557f84277a8c9f4098474f8449c78ca3c5afa108215ae44fb61668b2c0cfba
SHA3-384 hash:	e7054df1e47bf0385776c738af46c0e970054a0d128b656bd1d359f5b6a2c4a815279e8518d83789a57c0a796c7bc61b
SHA1 hash:	0fa355d8d2be7e78684bac697d71e27114ba96b1
MD5 hash:	eccf8ac19437cab9813a7c3d4f433714
humanhash:	high-green-zulu-magnesium
File name:	SecuriteInfo.com.Trojan.Win32.Save.a.10874.23723
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	304'429 bytes
First seen:	2021-08-13 02:58:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f6fa9bdd40f71fb098a7bfffa792078 (2 x Formbook, 1 x AgentTesla, 1 x RemcosRAT)
ssdeep	6144:nbgMF6Phu8oFvYCUUG1mOvebfIL1h/bDg6EMGT63V9bBh:bgfuD7meTq1hDDZGm3Vbh
Threatray	8'369 similar samples on MalwareBazaar
TLSH	T1DD540174A40467A1C14B2EBAECEFBC2D2A504F7845A11467E1ED7B70ACF72E790CB605
dhash icon	125ad212e9cd3682 (40 x AgentTesla, 21 x Loki, 19 x Heodo)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Win32.Save.a.10874.23723

Verdict:

Suspicious activity

Analysis date:

2021-08-13 03:00:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/330e05e5-dfc8-4cfc-be1a-e81c7e83562c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/178811/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.10874.23723.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Sending a UDP request

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/99857993-9b50-4bdf-87b8-4bd833ee5fab

Result

Threat name:

AgentTesla Telegram RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832125

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd557f84277a8c9f4098474f8449c78ca3c5afa108215ae44fb61668b2c0cfba/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-08-13 02:11:31 UTC

AV detection:

13 of 46 (28.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvkx7bbhpkgj6qeyi5hyisohrsr4ll5bbaqvvzcpwylgrmwaz65a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

42d9a4cac38f75fd777be1c51842d13ad099e84da9da516e0e426c2d82611268

AgentTesla

6b0bde8e3b951658063f012258ab40464eed901536292332451554d45b8e17cd

AgentTesla

7a97d4b8f134c45154aedab0230867952cc203fd283dca4700258edc86efb1e9

AgentTesla

b7964a89e6a2241d174412de89aefa5cea84f723413cdfe5b2ad6aec40e7a54d

AgentTesla

+ 8'359 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210813-mse3s2w8cx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

6f2b963d58186bfac06372ec513ec9c83a9c5d710e9615fc12ab3f20f8423bdb

MD5 hash:

3a4e49b529b793e332e49676f94546ef

SHA1 hash:

6df45339e64736aef1ce125392e747808e04cc04

Link:

https://www.unpac.me/results/7b4a01e7-eb9d-4d0a-a45e-918d948b70ea/

SH256 hash:

bd557f84277a8c9f4098474f8449c78ca3c5afa108215ae44fb61668b2c0cfba

MD5 hash:

eccf8ac19437cab9813a7c3d4f433714

SHA1 hash:

0fa355d8d2be7e78684bac697d71e27114ba96b1

Link:

https://www.unpac.me/results/7b4a01e7-eb9d-4d0a-a45e-918d948b70ea/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/bd557f84277a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.63

Link:

https://yomi.yoroi.company/submissions/bd557f84277a8c9f4098474f8449c78ca3c5afa108215ae44fb61668b2c0cfba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178811/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample