MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf13bbab900b3950670c7ec1382bb063de3790e426039c126bb7d46999d84666. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf13bbab900b3950670c7ec1382bb063de3790e426039c126bb7d46999d84666
SHA3-384 hash: fd0e4f2ee03656000dee10ac8cfc5cda3ed8e9d8296103c097ff2d3329c26885e378b1252478bef3557697fb707af88d
SHA1 hash: ba1598878710e3ad66269ce37f0f9cff924aa76f
MD5 hash: ea4fbd691e576c3597b4391e408630a6
humanhash: foxtrot-berlin-early-ack
File name:Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:592'896 bytes
First seen:2021-03-22 07:40:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:/+J0WVFIlxuB0MWeDJofvb/GXbHk2XiIjHU4H444h:/YjFIXYWeS7kEtIj04H444h
Threatray 3'362 similar samples on MalwareBazaar
TLSH 4DC448847050B08EC852CD317A9CDD58E65A3C62B3565F83BC9333AFA9FB5829F44279
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: makelove.ddnsgeek.com
Sending IP: 103.20.235.117
From: Dave Richter <info@linkbuild.me>
Subject: URGENT ORDER!
Attachment: Order.001 (contains "Order.exe")

AgentTesla SMTP exfil server:
smtp.gmail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order.exe
Verdict:
No threats detected
Analysis date:
2021-03-22 07:56:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ab01cd3-6ab7-443e-9179-6e897cbbc5e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.6866.22663.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647443
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf13bbab900b3950670c7ec1382bb063de3790e426039c126bb7d46999d84666/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 02:33:09 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4j3xk4qbm4vazymp3atqk5qmppdpeheeybzyetlw7kgtgoyizta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
168d180de146160d0ba93335e36e00d62029ea13f0a41ace68a76e8a2b547ac3
AgentTesla
5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47
AgentTesla
6117ef5bdf129b7cc226a3bb9e3734f1b7502ab893603c4368685017f31a0677
AgentTesla
6319947a9646aee1e317a89a50c0d2a2984cd35269260ce6015f9172630b14f7
AgentTesla
66299f1d16eab2cca6ebe65ac3239ab8fb27ea535d2fa6e2f472554c311d9f07
AgentTesla
747ee0971e16540fa80072cdcc9e28a2f3fca2303303920c802219ea64c5bef2
AgentTesla
afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662
AgentTesla
d60076d9ebcd69f0403422ebb01bf2df5faa59ce3fe2596b76ba0868ec666549
AgentTesla
e2ba312c9fcc69d5a671097caf440bb681580204330bdde4e3dde3da57c5fe5a
AgentTesla
f892fa6757d9aab17b11c24debe91cc7ecd4591bc656f9e653dacf883a1b764f
AgentTesla
+ 3'352 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210322-rrse2le686/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bf13bbab900b3950670c7ec1382bb063de3790e426039c126bb7d46999d84666
MD5 hash:
ea4fbd691e576c3597b4391e408630a6
SHA1 hash:
ba1598878710e3ad66269ce37f0f9cff924aa76f
Link:
https://www.unpac.me/results/bb1d5911-528f-400e-b2df-750a59cc9bbc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf13bbab900b3950670c7ec1382bb063de3790e426039c126bb7d46999d84666

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar b8e7235222b59eb02eb7fb533e80d6cb2482611bd9afe148e03f3c208bd09d88

AgentTesla

Executable exe bf13bbab900b3950670c7ec1382bb063de3790e426039c126bb7d46999d84666

(this sample)

  
Dropped by
MD5 68c9679b44ac8c6f286c5d5d0abac379
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b8e7235222b59eb02eb7fb533e80d6cb2482611bd9afe148e03f3c208bd09d88

Comments