MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d
SHA3-384 hash: ccd47e75f9b73672865f81053a3d92ad83290904ef22b6be23ca83d5487531521bf84f5e81ed3da6775970c75b43485a
SHA1 hash: c3bc71cca4af8ee4b8646d8bbe4bde5b5abe3cae
MD5 hash: c707110b5d3e33f6931bb66320972fbf
humanhash: ack-south-gee-virginia
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:19'752 bytes
First seen:2023-02-09 09:33:30 UTC
Last seen:2023-02-09 11:36:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:BYVYVMIL/FQIIbE3rUPzZKF6wzbaZNHZVGmGovy8ZpHGH8X:sYVtL/fIMmzM6SbSN5PyiRl
Threatray 1'094 similar samples on MalwareBazaar
TLSH T1CB925C642BDC2003F8BE1FB4C9E999528B7CB6E37C11D66F26D5508A6DC23801990F7B
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-08T12:30:54Z
Valid to:2024-02-08T12:30:54Z
Serial number: 54c25aacb37a069042c26f37a6115d9f
Thumbprint Algorithm:SHA256
Thumbprint: eb40c0fa18fb2734189b261cf25d0238193928b7faf0d074487a35eb2eaa98d8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
Malicious activity
Analysis date:
2023-02-09 09:36:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d345f7a-c471-4932-acdc-fe46184c7586

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/362663/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.17424.19721.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a window
Sending a TCP request to an infection source
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
20%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63e4be0cc7ca3840b5a14a3e/reports/0119cddf-54c4-4121-be1d-f8422c050f96/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik.AIAE trojan
Link:
https://www.hybrid-analysis.com/sample/bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97681129-f535-42f3-ae37-4af839db4d50
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1169865
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 802656 Sample: SOA.exe Startdate: 09/02/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 6 SOA.exe 3 2->6         started        11 DfdZo.exe 2 2->11         started        13 DfdZo.exe 1 2->13         started        process3 dnsIp4 34 185.17.0.79, 49712, 6666 SUPERSERVERSDATACENTERRU Russian Federation 6->34 32 C:\Users\user\AppData\Local\...\SOA.exe.log, CSV 6->32 dropped 58 Writes to foreign memory regions 6->58 60 Injects a PE file into a foreign processes 6->60 15 AddInProcess32.exe 17 4 6->15         started        20 DataSvcUtil.exe 6->20         started        22 aspnet_regbrowsers.exe 6->22         started        28 16 other processes 6->28 24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        file5 signatures6 process7 dnsIp8 36 api4.ipify.org 104.237.62.211, 443, 49715 WEBNXUS United States 15->36 38 wecaresvc.com 103.138.106.17, 49717, 587 ABOVE-AS-APAboveNetCommunicationsTaiwanTW Taiwan; Republic of China (ROC) 15->38 40 2 other IPs or domains 15->40 30 C:\Users\user\AppData\Roaming\...\DfdZo.exe, PE32 15->30 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->44 46 May check the online IP address of the machine 15->46 48 4 other signatures 15->48 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-09 08:20:03 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvn3dfredujovimkiwojs7npo3gkkcvlelsvgdqr6ra6lzqepywq._file
Verdict:
malicious
Similar samples:
277695c9c74d59d603816ca495662666d702dce65c7949468eed50ad5e8171a8
AgentTesla
32603d6c0a84eeb638434c8f7e351dd062d88a5da3d4fd659a8ae6570339845c
AgentTesla
3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e
AgentTesla
40fbdffc4c34a41a564d0863ed3563fb04f97b9325c1ec297a4477b15e6efbbc
AgentTesla
577a6f8ac673a1b176fd32c9b8fe01178fee10a2602e3ccbc02b3fdebfa9bf0b
AgentTesla
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
AgentTesla
67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea
AgentTesla
6bf19b47e17a3856e31e384b6aa304346e151f2c41385d01da5834a751fae776
AgentTesla
bcba671f1e3e1f7ab80f59d5c1cb280bfec3ca519b37820af0bb720fb5d7a8b9
AgentTesla
+ 1'084 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230209-ljsc1aef23/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
AgentTesla
Unpacked files
SH256 hash:
bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d
MD5 hash:
c707110b5d3e33f6931bb66320972fbf
SHA1 hash:
c3bc71cca4af8ee4b8646d8bbe4bde5b5abe3cae
Link:
https://www.unpac.me/results/d471ae88-4bd8-4c70-88a4-72d6ce6fde24/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd5bb196241d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bd5bb196241d12eaa18a459c997daf76cca50aab22e5530e11f441e5e6047e2d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/362663/

Comments