MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf
SHA3-384 hash: df9a153bc16048de7c93f4340fe98d28ba24edada6d45e072bd7c138270c8b79bffa9625e0d5db2be0343c852ef73ea8
SHA1 hash: e2d7eb876dcfb70ae73ec66d1109e05fcc4ac40f
MD5 hash: 90e734fe277b2f141b50278105bf663a
humanhash: oregon-saturn-butter-lima
File name:Payment_Advise_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:827'392 bytes
First seen:2020-10-06 05:47:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:dun9OhURG6NZNUhyOqom6h0deGhFqKUSd6:d09OOxjUQf/R
Threatray 329 similar samples on MalwareBazaar
TLSH 3E057CAC36507ADFC957CD3ACAA85C60EA2064A7530BD203A01716ECAE1DB97DF141F7
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: awef0.310.cicmo.ml
Sending IP: 157.245.40.133
From: HSBC Advising Service <advising.service.73456874.890432.3046124410@hsbcnet.com>
Subject: Payment Advice - Advice Ref:[GLV902083666] / Priority payment / Customer Ref:[TT-34020920E-2]
Attachment: Payment_Advise_pdf.cab (contains "Payment_Advise_pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68406/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482295
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293588 Sample: Payment_Advise_pdf.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 5 other signatures 2->32 6 Payment_Advise_pdf.exe 3 2->6         started        10 newapps.exe 3 2->10         started        12 newapps.exe 2 2->12         started        process3 file4 20 C:\Users\user\...\Payment_Advise_pdf.exe.log, ASCII 6->20 dropped 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->34 36 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->36 14 Payment_Advise_pdf.exe 2 5 6->14         started        38 Antivirus detection for dropped file 10->38 40 Multi AV Scanner detection for dropped file 10->40 42 Machine Learning detection for dropped file 10->42 18 newapps.exe 2 10->18         started        signatures5 process6 file7 22 C:\Users\user\AppData\Roaming\...\newapps.exe, PE32 14->22 dropped 24 C:\Users\user\...\newapps.exe:Zone.Identifier, ASCII 14->24 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->44 46 Tries to steal Mail credentials (via file access) 14->46 48 Tries to harvest and steal ftp login credentials 14->48 50 2 other signatures 14->50 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 01:01:28 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvnvhuhcuydyddu5sq4ekl4yruoqw3dwm5fojwauhm4kjqgppk7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
AgentTesla
60db9d2df465b5bfcf2d1c0a71559c57c561d0746a0f3fd7f4e8b9203871cfb8
AgentTesla
787bbb324bff5c9623f81bcfb8eb548a5938a50323c594440bc46dacd52276a4
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02
AgentTesla
eb4edd0b9f5c8ac8807776409d86a5a66e25cbebc2e441faa16808d8b5ec9288
AgentTesla
eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f
AgentTesla
+ 319 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/201006-vrce2q546j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf
MD5 hash:
90e734fe277b2f141b50278105bf663a
SHA1 hash:
e2d7eb876dcfb70ae73ec66d1109e05fcc4ac40f
Link:
https://www.unpac.me/results/bc764c11-8174-475e-b644-0d2c1001784c/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/bc764c11-8174-475e-b644-0d2c1001784c/
SH256 hash:
fd03dc1ddca630cfe821ef7f3d1a7efe29cef8817ed1d18fbff26597685431e5
MD5 hash:
0d66e2f9263a91a666d5d60b76d1adb0
SHA1 hash:
8f566521c2b352d0a2e7ff91d19420e1b2200f9f
Link:
https://www.unpac.me/results/bc764c11-8174-475e-b644-0d2c1001784c/
SH256 hash:
c27be40d55821fba153fc3f17f6313c27d625f365da64ada5dbbec3af34e04d3
MD5 hash:
88a1d30f0b1cd22b5f57c20815d1bdb7
SHA1 hash:
d7dc00c15cd155927673dd251ca0c06627f6fab7
Link:
https://www.unpac.me/results/bc764c11-8174-475e-b644-0d2c1001784c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab cb464a51d514a4f48eafc3b9894b85c5567d6d45f817542c147c61af553503f8

AgentTesla

Executable exe bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf

(this sample)

  
Dropped by
MD5 7e504941fe377af17039f453a0b4a912
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68406/
  
Dropped by
SHA256 cb464a51d514a4f48eafc3b9894b85c5567d6d45f817542c147c61af553503f8

Comments