MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9
SHA3-384 hash: 1b865bdc4834828647f4a84591646839fbb92687f8150e9f69c619bfcfd32709849a540205c5e0610c13dda2ebe79fad
SHA1 hash: e23a6de31dcefda3d84fcd8b0122f33c1a726249
MD5 hash: 16a00e358736ae0bf135aec278aee516
humanhash: carpet-hot-comet-bluebird
File name:DINTEC Order 28012021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'153'536 bytes
First seen:2021-01-29 07:37:34 UTC
Last seen:2021-01-29 10:11:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:eYLhDn5IimM7w9n6ILDTsscYV+UetLRa6c57QMIb+++z3i+3w5D7ZRQn+ssWg:eYLlntAn3L8sHPeVRaL7QM4eaAn+Gg
Threatray 2'328 similar samples on MalwareBazaar
TLSH 3335CE26F648AB31F07EBB795430977107FDAD12E631E61D3EA972C91432AC146E3E12
Reporter fabjer
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DINTEC Order 28012021.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-29 07:39:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/916d561b-ffca-4644-9545-6dc5966dc391

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114646/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.9512.8090.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/593608
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 11:42:39 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwe7nytzj4gdqpfblom4kori222sppsy5ryt57fp75hq3mqzlh4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2e10233f14882e29da2131e7239cb850c3541e014ff77ce51a1a355f6a57e431
AgentTesla
38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc
AgentTesla
41d6d55849c6b5fc16d491d5e6ef98337ff18fc90e8146a186d8dabc2303d361
AgentTesla
428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0
AgentTesla
5cf8e944ea54195e221343dec2bb3728c5faecc2b55be781b597503a7ae2fd39
AgentTesla
63adb2924e560b5372169c820684773bba83fe0ab3e0b51ecf3192b0cda9d774
AgentTesla
aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240
AgentTesla
bf7ab488d2d80bdafaafb8c4dcd858ecdcbb81188142adc0d58f3389807f0708
AgentTesla
c50fcb67709551a597f9195bf6e06b7d1fd97170786afb5d0d23b151bb836113
AgentTesla
f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8
AgentTesla
+ 2'318 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210129-t4g877mq9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Unpacked files
SH256 hash:
705befc86cde0824c7add559794c39a6458450d516a59aa6984e76793b10f999
MD5 hash:
4e6bbc038eebf384bfc21142aaa31bd5
SHA1 hash:
7b45f9bb0f2e679511cc29bc3d24995854299234
Link:
https://www.unpac.me/results/64ab54d9-fbc2-48b3-a874-3c8cb8b07a6e/
SH256 hash:
44f9ce78895579f7580909ce165e50afcffee4ceda824ee79a3c4c9546db850d
MD5 hash:
de56ba8bb27f65555dcf2612737d8cb1
SHA1 hash:
37e7e4f9c2393371abf1cb3b38999b51388a7cd9
Link:
https://www.unpac.me/results/64ab54d9-fbc2-48b3-a874-3c8cb8b07a6e/
SH256 hash:
f3ea20f6815e7f5f5159971ea2714811dcc4b41c31bceb3514f60c3eeed81dbb
MD5 hash:
9951799b56282c51f5b64c5c150df857
SHA1 hash:
33c35765c67cbb3e582af839bb384a75338b4d3e
Link:
https://www.unpac.me/results/64ab54d9-fbc2-48b3-a874-3c8cb8b07a6e/
SH256 hash:
bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9
MD5 hash:
16a00e358736ae0bf135aec278aee516
SHA1 hash:
e23a6de31dcefda3d84fcd8b0122f33c1a726249
Link:
https://www.unpac.me/results/64ab54d9-fbc2-48b3-a874-3c8cb8b07a6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz bd0b05f44da4bfae1b8843b6837a02dacbd9d0a4a677cbe3ede32596200b7944

AgentTesla

Executable exe bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9

(this sample)

  
Dropped by
SHA256 bd0b05f44da4bfae1b8843b6837a02dacbd9d0a4a677cbe3ede32596200b7944
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/114646/

Comments