MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e
SHA3-384 hash: b639a19c86f2955597f2b1b510d90baa0b6549a13847b11d181ead0ed6e2d8919b1047e272fd485eafa01d7aa4d53932
SHA1 hash: 4a934e2daf22ee33f1aea1cd49cdd294986efc16
MD5 hash: 6b30bab8e1f4ff60acca54a249517bd5
humanhash: timing-lamp-london-kentucky
File name:Payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'053'696 bytes
First seen:2020-12-01 15:00:19 UTC
Last seen:2020-12-01 16:51:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Bl7TM6XSWx5A8TxPytSYb7am0ktZZtq1EruQo:Bl7TM+zxG8tKDb7n7TZE1Au
Threatray 9'594 similar samples on MalwareBazaar
TLSH 2E25013122B4AE54D6BA0FF565B021400F766A671639E34CDD8024DF2DB3BD08E6F667
Reporter FORMALITYDE
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106259/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.10060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/552503
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325353 Sample: Payment.exe Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Found malware configuration 2->36 38 Sigma detected: Scheduled temp file as task from temp location 2->38 40 5 other signatures 2->40 8 Payment.exe 6 2->8         started        process3 file4 24 C:\Users\user\AppData\Local\...\tmp2B71.tmp, XML 8->24 dropped 26 C:\Users\user\AppData\...\Payment.exe.log, ASCII 8->26 dropped 28 C:\Users\user\AppData\Roaming\gnFZsnV.exe, PE32 8->28 dropped 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->46 12 Payment.exe 2 8->12         started        16 schtasks.exe 1 8->16         started        signatures5 process6 dnsIp7 30 smtp.shirdilog.com 12->30 32 us2.smtp.mailhostbox.com 208.91.199.225, 49756, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->32 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to steal Mail credentials (via file access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 2 other signatures 12->54 18 reg.exe 1 12->18         started        20 conhost.exe 16->20         started        signatures8 process9 process10 22 conhost.exe 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 15:01:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvsidgnrp7zb3m6ult6rb2z3od64xx2cyqcqmebf3zwndjm4eexa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
081e0a3ba699ed2ecdca059eb30de07eff5226c33ae0f5eabb78a6b8577b2685
AgentTesla
13a9dd2694b5c08ac72ab0cc485ef6e607fe9b62acb966065344469155f2c55c
AgentTesla
405c66cfdc34d1fa670ad8f8a9143ba2ffa743b024396c4c6eb657dc0b4984cd
AgentTesla
56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497
AgentTesla
6702194e907abb44e098053a29ddb3eebe2d9f0649857df43c3d265f9eb69f2f
AgentTesla
6fe204d9224bacbbf32c4093dc5ab43fce7480ae49c7888787b4eef8cc814aa0
AgentTesla
a32fc63620a1e241cf228c8b9f46ba4fe723d3775134d000472e1d91fae35801
AgentTesla
ae6c488302c04f00a60835db6b955fb8e1eb42f0e73e71873f5b7dc630596755
AgentTesla
bb5655ed407d25d54cefaf7d9834192b007ea351bfd0237ea1d59f63333a9aef
AgentTesla
f150b76e622e7da135e3d47a20c424aa20a6efeb839b15d301c17233bdcbc9f4
AgentTesla
+ 9'584 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201201-3yr3d6cakn/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/c26fb0e2-7134-48fc-a982-c1e40ac15f68/
SH256 hash:
9be1ad616a483be6f65e69a88fd1d6cab6e8217236ac189d8b903f5f8c686832
MD5 hash:
55314db41bfc3877e5ad1250047a77f3
SHA1 hash:
6e21eb482f0a6b719359b3fb56b52abca46a673e
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/c26fb0e2-7134-48fc-a982-c1e40ac15f68/
Parent samples :
fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb
0096dc44d88cb2dc617a69d3b9fef566a848c661f00bee5a85afcb205a33aba9
ae6c488302c04f00a60835db6b955fb8e1eb42f0e73e71873f5b7dc630596755
69cbd1cde514fa34db916c79d034366b291e3ea63917b52ec76bef88060bfce0
bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e
733791b9f0a883fccd3d16935d700144bdfb9e5b8ca2ee4a095fa30ce9c301e5
4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f
SH256 hash:
2485f819c0a8616775549115bd65e8419bae9ea9c6715901d9a803da72334e9d
MD5 hash:
7b7cd112c7c5030a523c96ddd807cdb4
SHA1 hash:
f2de664d1ffd5131da199f804752c87d388db4e0
Link:
https://www.unpac.me/results/c26fb0e2-7134-48fc-a982-c1e40ac15f68/
SH256 hash:
bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e
MD5 hash:
6b30bab8e1f4ff60acca54a249517bd5
SHA1 hash:
4a934e2daf22ee33f1aea1cd49cdd294986efc16
Link:
https://www.unpac.me/results/c26fb0e2-7134-48fc-a982-c1e40ac15f68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106259/

Comments