MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a
SHA3-384 hash: 3ef619a6eb56b0aab44a1264e4969de0561561e5cd3801f9a1d549444ce10e7c30d2c46c1050ca06d9168f961b6aa100
SHA1 hash: fd74adbc0716f2039cd16eaec2f6e91f968c0973
MD5 hash: 2daffeb4bfe82105ae4f2a8a0285e452
humanhash: early-red-sodium-cat
File name:7botYDIX478qQdk.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:710'656 bytes
First seen:2022-12-05 14:53:04 UTC
Last seen:2022-12-16 12:53:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:R5PuYd+V6b1momPZefRtOR9t0+6CUPsK2XUDZXipyKLBWeiOxJuui80tPuYd+V6b:bPuYd+V6bIomxiRYRL0+6Ctp2XipNvu7
Threatray 23'744 similar samples on MalwareBazaar
TLSH T1CFE4015DB311952BDEE4DD70F8BA909242F2BCA9E961CA3D3847339F9432B4C9B14706
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00c0c0b2c0709a6c (16 x AgentTesla, 5 x Formbook, 3 x SnakeKeylogger)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
7botYDIX478qQdk.exe
Verdict:
Malicious activity
Analysis date:
2022-12-05 14:59:31 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/ba46c211-3f59-477c-b880-7d0e65e96498

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342971/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.3526.4371.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638e060d9a505ad9423d6df1/reports/f65ed746-d0b5-444e-b83a-94b1426906a2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0992363-2085-46c0-97ab-36845093b0cc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1128162
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 760911 Sample: 7botYDIX478qQdk.exe Startdate: 05/12/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 10 other signatures 2->64 7 7botYDIX478qQdk.exe 7 2->7         started        11 tgDUujZw.exe 5 2->11         started        13 MYAPP.exe 2->13         started        15 MYAPP.exe 2->15         started        process3 file4 42 C:\Users\user\AppData\Roaming\tgDUujZw.exe, PE32 7->42 dropped 44 C:\Users\...\tgDUujZw.exe:Zone.Identifier, ASCII 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmp2F2E.tmp, XML 7->46 dropped 48 C:\Users\user\...\7botYDIX478qQdk.exe.log, ASCII 7->48 dropped 80 Uses schtasks.exe or at.exe to add and modify task schedules 7->80 82 Adds a directory exclusion to Windows Defender 7->82 17 MSBuild.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 26 MSBuild.exe 4 11->26         started        28 schtasks.exe 1 11->28         started        88 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->88 30 conhost.exe 13->30         started        32 conhost.exe 15->32         started        signatures5 process6 dnsIp7 50 api.telegram.org 149.154.167.220, 443, 49700, 49702 TELEGRAMRU United Kingdom 17->50 52 api.ipify.org.herokudns.com 52.20.78.240, 443, 49699, 49701 AMAZON-AESUS United States 17->52 54 api.ipify.org 17->54 40 C:\Users\user\AppData\Roaming\...\MYAPP.exe, PE32 17->40 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->68 70 May check the online IP address of the machine 17->70 78 2 other signatures 17->78 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        56 api.ipify.org 26->56 72 Tries to steal Mail credentials (via file / registry access) 26->72 74 Tries to harvest and steal ftp login credentials 26->74 76 Tries to harvest and steal browser information (history, passwords, etc) 26->76 38 conhost.exe 28->38         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 08:05:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwpi5gfvppscsfkgf2ucqkmh5pqx2546vu6uyzdb5spe2wivbm5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3740ceb756fe0c8bec3ebbb3407c2898eb87fa4ad7bc828e6bfba4857a4f383b
AgentTesla
4a18558d47715d4869b75f738052786c8b85681aea3ff093002cd6b9dfd55c1c
AgentTesla
512ca7cbadc87f5a9471355df03cec6666274c23ca7fbcb1480a1372b59c0401
AgentTesla
54983544e9fd6e0423bcd9ea883e4ff1375abcdd58876d79701e9d24882500ed
AgentTesla
7984714891615a64abddf226ae3538409f5554abcd6513ca58eaeb39c636e046
AgentTesla
87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f
AgentTesla
ceeaf351408125592c58eb70508f0387f293210a0f8ce14cbbda70fd6ef2254c
AgentTesla
+ 23'734 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221205-r9we8saf23/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5453942321:AAF6CS9julQ6K7s5pxacNALwWJ2A52D0EC4/
Unpacked files
SH256 hash:
be09b26c217d8c2cc734f63c1268b9a59e54d5381f6320e05d5a65a7ad7c7cb5
MD5 hash:
e793583a9564f3df478cf8832bb433e9
SHA1 hash:
b78d8e80817fdd7a403d592ca7af84ab119890b6
Link:
https://www.unpac.me/results/6fe370cb-059a-43e8-97f3-a9e302b1bf21/
SH256 hash:
88a9bb73fbf20f8b448d4f68839b392e30dacd54bb6383856955016e5ada08fc
MD5 hash:
83da2fca7a89b097f686bf4167bbe183
SHA1 hash:
9d7a133a0349d2272ee453977a08b0546cc64911
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/6fe370cb-059a-43e8-97f3-a9e302b1bf21/
Parent samples :
2980f607058a2ba908559bdedbbd019edd4b52377e5f884d36a62bf9aac8be00
4e917ed708e6c20ca6f74372e37680aac6af8a9fc214e903ff4297438cf94261
8cdd2376c22a3f37faafe3a39f3730b7c03c9e641b729607ca2b083abbc3f05e
4a18558d47715d4869b75f738052786c8b85681aea3ff093002cd6b9dfd55c1c
6e91ea05f6e530c2092d498bc56c7de9fe1cc16e74538c9ace01c3c2b79ee74d
5fc28dba0030fcbcc62c9ca9c6da94dbecd6e50ee64f4f5380e6a73adf16f627
bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a
09f3a3ec989361e622f1ac9b42bc380846518c270dac7783e6e38aa1f12ccee4
bb504515c55056366648ad196e46f804221e248e4d41fda2ba3a243e23309794
SH256 hash:
71c2455411bd623222d45c43a2a3f100387befc40ec237222488e435f93ea772
MD5 hash:
eb7a24ff29f2844b375895acc10af168
SHA1 hash:
709da9a9aa8c0ae9f82e58361a19309ed4f0684e
Link:
https://www.unpac.me/results/6fe370cb-059a-43e8-97f3-a9e302b1bf21/
SH256 hash:
922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50
MD5 hash:
1ecb63625d636b0b8f8ebdece9fa80c3
SHA1 hash:
5623d5ad21fc63893011bae7e4709c51219fcc1c
Link:
https://www.unpac.me/results/6fe370cb-059a-43e8-97f3-a9e302b1bf21/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/6fe370cb-059a-43e8-97f3-a9e302b1bf21/
SH256 hash:
bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a
MD5 hash:
2daffeb4bfe82105ae4f2a8a0285e452
SHA1 hash:
fd74adbc0716f2039cd16eaec2f6e91f968c0973
Link:
https://www.unpac.me/results/6fe370cb-059a-43e8-97f3-a9e302b1bf21/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd9e8e98b57b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/342971/

Comments