MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf277d4c78d64622787635c3bd7c55fcf2bfdff94171957baeb677b7efd08795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf277d4c78d64622787635c3bd7c55fcf2bfdff94171957baeb677b7efd08795
SHA3-384 hash: 2a38a9482e7d7ec17162ce4a8528bbf8532b5f7faf0b19f31a4ce76650a44094d2ac253fa35d51755292acf51cc1d84e
SHA1 hash: 5238bec06e847e34ce30ebb31b3459e14f2a0d41
MD5 hash: df1ba5d7f723a897c59720ae9adcb101
humanhash: india-mockingbird-quebec-william
File name:official PO PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:62'912 bytes
First seen:2020-10-13 14:33:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:6uwHTbC0n2eHe8k61uTlI8ySar/L8R2/FmK9s2F6zvss4Y7ejg4sAclwYQJnt6nS:6uaxlk6zJ/YmFmkE4sAciloUf2h
Threatray 516 similar samples on MalwareBazaar
TLSH 2353E4843C46C59BD925A83599F2EDA40AA2ED73D412E3B2DD97F8D8F27C704FA43520
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps-e62a430c.vps.ovh.ca
Sending IP: 139.99.133.125
From: IFB Shenzhen Oprs - Rena Rong <mumdoc@mastergroups.com>
Subject: Agro Mega Trading Co.,Ltd PO
Attachment: official PO PDF.img (contains "official PO PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70501/
Detection(s):
SecuriteInfo.com.HEUR.QVM03.0.8E75.Malware.Gen.4658.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/489867
Signature
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf277d4c78d64622787635c3bd7c55fcf2bfdff94171957baeb677b7efd08795/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 10:12:08 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4tx2tdy2zdce6dwgxb327cv7tzl7x7zifyzk65owz33p36qq6kq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24d32404b88210f6f5cb58362bc6122c7f7545ee8b792c075df1b0069a4f10d5
AgentTesla
3d281e94d3e3d6dc20818716a5b45e09803a5e8cace71615d950d086b563cc40
AgentTesla
46df88abb8b7f783add8e2688ed3fc2632020fc30f6a87172264a4f434af2524
AgentTesla
493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927
AgentTesla
757d376a5edc5d260ab3fb209797dbbdf3ce43f6331432174b1398f14e723e20
AgentTesla
8f416a96a4a8475bd8486d264aad1bb73ad020db8e7e1d0f268432684096511b
AgentTesla
bd5f6e5567639e5e1c4619a02ff2db2eb3242cd6e25e50f7b7559202fc7f061c
AgentTesla
db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576
AgentTesla
ef261cab960c0d90f77d39e3b5405aec8e2ff2bf220f1ebe594807f3fa5cd6fb
AgentTesla
f4468ef3eb4ae6445b097b0200d918ae0e1bba94b8c4c613031e2aab32c9f083
AgentTesla
+ 506 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201013-z8cbblybxn/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bf277d4c78d64622787635c3bd7c55fcf2bfdff94171957baeb677b7efd08795
MD5 hash:
df1ba5d7f723a897c59720ae9adcb101
SHA1 hash:
5238bec06e847e34ce30ebb31b3459e14f2a0d41
Link:
https://www.unpac.me/results/24f602b4-f988-4cc5-83b3-ef0009f53074/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/bf277d4c78d64622787635c3bd7c55fcf2bfdff94171957baeb677b7efd08795

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img c863f9552782e6bc04940127a31550a4632efa1f5cce23b61e4b65d9d0e6b35a

AgentTesla

Executable exe bf277d4c78d64622787635c3bd7c55fcf2bfdff94171957baeb677b7efd08795

(this sample)

  
Dropped by
MD5 6947721d5f616f2a0facb1a23ecc67aa
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70501/
  
Dropped by
SHA256 c863f9552782e6bc04940127a31550a4632efa1f5cce23b61e4b65d9d0e6b35a

Comments