MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be430dad91245b6bd741be804bb3e4b0858ba623912e04486c1e93326c988f2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be430dad91245b6bd741be804bb3e4b0858ba623912e04486c1e93326c988f2c
SHA3-384 hash: c8af5344527aa91b28886ab5bcb2b6fcde5e917a966327bce0040618e985b30a6495db6049b8f84bac1f3f31d8d8024f
SHA1 hash: 71b2dcff2e4dd01677bafcf4b84b8c37f8f82e4b
MD5 hash: 5c10f679234bd48341c99e43d5386f75
humanhash: table-alpha-leopard-mars
File name:TEKLİF İSTEĞİ_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'524'736 bytes
First seen:2021-05-06 07:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DE/jfuT7hyvCQ3pyVnoNMbpcK9PmZTAKOPa3pWixNg7AolYx2J1q7INlH6Nt2mJA:DuEQ3I8FT7OqW4CM0TJA7alj
Threatray 4'548 similar samples on MalwareBazaar
TLSH 636507A9325076DEC857C9728A58DC34EA607C66431BD203A0D73DAFBA7E597CF140B2
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151384/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713553
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405701 Sample: TEKL#U0130F #U0130STE#U011e... Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 12 other signatures 2->40 7 TEKL#U0130F #U0130STE#U011e#U0130_PDF.exe 7 2->7         started        process3 file4 28 C:\Users\user\AppData\Roaming\ydzmNX.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmp2E51.tmp, XML 7->30 dropped 32 TEKL#U0130F #U0130...e#U0130_PDF.exe.log, ASCII 7->32 dropped 42 Adds a directory exclusion to Windows Defender 7->42 44 Injects a PE file into a foreign processes 7->44 11 TEKL#U0130F #U0130STE#U011e#U0130_PDF.exe 7->11         started        14 powershell.exe 25 7->14         started        16 powershell.exe 24 7->16         started        18 2 other processes 7->18 signatures5 process6 signatures7 46 Tries to steal Mail credentials (via file access) 11->46 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 18->26         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be430dad91245b6bd741be804bb3e4b0858ba623912e04486c1e93326c988f2c/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 07:16:15 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzbq3lmrernwxv2bx2aexm7ewccyxjrdsexaisdmd2jte3eyr4wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08f9ff6bbe01d3fab54974c872fbdf2f8fa1fd1f32649c776f0626030169272c
AgentTesla
3206ceb59dc7e6b70492a3b118f97114f0cf26ed040f42ac9226aab0169210ea
AgentTesla
52d514639923395c838d6f682c4be02ce3ba7ff3c5de613824e51ce0280a74cb
AgentTesla
67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e
AgentTesla
6f175e5ca3aed259ec1288d9dbd2510bff46dd383f95c07d9495570699934445
AgentTesla
74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2
AgentTesla
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
AgentTesla
d7b92448ecfd7f178e19428933ffcb94d7df6ffcb255839b508328d060811622
AgentTesla
e3154d853187b18659c637d16cb0a1fdd48c1bfa53c5d39aa11e1ed3db471dbd
AgentTesla
f365a0a316dd1de07f6145a94b48706d0700661b36f2f5eb915e8c05a602c0c9
AgentTesla
+ 4'538 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-4w2xyl8y9n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/a9ac6fc9-b2cb-42be-9caf-f255325e39f7/
SH256 hash:
be430dad91245b6bd741be804bb3e4b0858ba623912e04486c1e93326c988f2c
MD5 hash:
5c10f679234bd48341c99e43d5386f75
SHA1 hash:
71b2dcff2e4dd01677bafcf4b84b8c37f8f82e4b
Link:
https://www.unpac.me/results/a9ac6fc9-b2cb-42be-9caf-f255325e39f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be430dad91245b6bd741be804bb3e4b0858ba623912e04486c1e93326c988f2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe be430dad91245b6bd741be804bb3e4b0858ba623912e04486c1e93326c988f2c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/151384/

Comments