MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 becaeab2d95d53d23e975d16d653e475661cf8b2ab259d113501349249caa6b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: becaeab2d95d53d23e975d16d653e475661cf8b2ab259d113501349249caa6b3
SHA3-384 hash: fb29da4ff8f741b1b37454116184d2d3f4aa3fd7beeff7e61196b3a844e3ccf155911c6cb68bfbb8c06b4effa87f0880
SHA1 hash: bd5f0bd1450e91870ecc4ceb8483b327339b4342
MD5 hash: e8d148cdcb9e6ee3a0a41f8f8ad81e01
humanhash: cold-winner-delta-alpha
File name:Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:846'848 bytes
First seen:2022-03-06 08:45:13 UTC
Last seen:2022-03-06 10:36:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'693 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 24576:uJ+VGSwnswSTqMyyzzNSJfUXHt+wxY8E4J:pYnsIMbzzkJfkHt+wxFEA
Threatray 15'519 similar samples on MalwareBazaar
TLSH T1340523327A89CA20C7CD8435E9DD800095705D3EA761F28BBAB4FF5933A73A3C94955E
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247646/
Detection(s):
SecuriteInfo.com.Trojan.Hosts.49819.7919.7028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c193bee4-840a-4c4b-9bf7-dcc1efc43130
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951386
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/becaeab2d95d53d23e975d16d653e475661cf8b2ab259d113501349249caa6b3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 00:08:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3fovmwzlvj5epuxlulnmu7eovtbz6fsvmsz2ejvae2jesoku2zq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1317f13a7cf7f599086f870fe71acd5aeba0ff8b0e52383adefbdf125da46cf4
AgentTesla
4d3032e586de2f01838b69af6911d3d1455027915e5b729e3923e01f34491fe7
AgentTesla
4f382a45ccadbea5c8c789f482cd8fd9bde3a87d43f47db8f6f8930e461d482a
AgentTesla
80ad90d32815bdde4cb3cc99b0fc15343f4e247b8ce3d7954d72a6736157bc58
AgentTesla
f258e8f3abd63a05c1ccbc68383a82a86674b8e105c8c114348f08a90e62319a
AgentTesla
fab057e449135e0e01df2fec5179835247a71d82cbd04cbca8ae2087d2f6a339
AgentTesla
fd5dd5a03854741581992b05e2ce86afe8d6229f262c044d89d013c0d7f2f10b
AgentTesla
+ 15'509 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220306-kpbrrsach8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5950252f63ebf931d843b70923e405103e33c9c00fbd305731d69441722d68ae
MD5 hash:
7ae521c21ad4157fbf714c98f55153bf
SHA1 hash:
e100543d73b4a21ab3bf83fbaacb0d82c7462aca
Link:
https://www.unpac.me/results/8773ce1a-ba07-4763-a109-8e93fad6bd0b/
SH256 hash:
57d7f21b8b27af5d76420fc736f83fd65bdcf74f4ca6e07ac0cc9afca3a34588
MD5 hash:
d8a7dbd840979c066ae77f0c5068e873
SHA1 hash:
dbb4235b8d7aa2ce19eceff6e4c67adab5c9462a
Link:
https://www.unpac.me/results/8773ce1a-ba07-4763-a109-8e93fad6bd0b/
SH256 hash:
dd209e8f2d942c719961ad1a59648ff9f7b08bac502fe281cda26eba5b2e718d
MD5 hash:
f1e711f0e8fcf64826bd5aaa8344d066
SHA1 hash:
8910a83ca50ac6261b9b85d8adc3179063ed351c
Link:
https://www.unpac.me/results/8773ce1a-ba07-4763-a109-8e93fad6bd0b/
SH256 hash:
ca9ac6f744470cba80d18ca640b0b5259b781a6c4b99c28e85d0b3afb5583536
MD5 hash:
125ef6334d70579222af65903070ec0f
SHA1 hash:
4d86a2684f0388a0571c20860253b1f13445aa31
Link:
https://www.unpac.me/results/8773ce1a-ba07-4763-a109-8e93fad6bd0b/
SH256 hash:
becaeab2d95d53d23e975d16d653e475661cf8b2ab259d113501349249caa6b3
MD5 hash:
e8d148cdcb9e6ee3a0a41f8f8ad81e01
SHA1 hash:
bd5f0bd1450e91870ecc4ceb8483b327339b4342
Link:
https://www.unpac.me/results/8773ce1a-ba07-4763-a109-8e93fad6bd0b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/becaeab2d95d53d23e975d16d653e475661cf8b2ab259d113501349249caa6b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe becaeab2d95d53d23e975d16d653e475661cf8b2ab259d113501349249caa6b3

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/247646/

Comments