MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf2efbd13ace8761d0ff1d9e0952bbacb4c403a0e91d76d0b2cd65b838b4c0a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf2efbd13ace8761d0ff1d9e0952bbacb4c403a0e91d76d0b2cd65b838b4c0a6
SHA3-384 hash: 681a61f440e9508d708b303401703fee5d3cea66158fd8e24d0d4ee88ae1606293f1609868f69b77b968ef36bffa6e4e
SHA1 hash: d2b2936ff183a895ce82ed5d75ea0fdac3c7591e
MD5 hash: b72e426691c8562cab3551f77964a8ff
humanhash: oven-timing-maine-fix
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.51343.32236.12600
Download: download sample
Signature AgentTesla
Create hunting rule
File size:353'792 bytes
First seen:2020-08-01 19:33:18 UTC
Last seen:2020-08-02 07:32:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:AUa8McQk6lqDkDKtQQn7wcjlXLMJss9guixM3dG57k:AUasQkkqDkDKmQB5RuixM3dQ
Threatray 45 similar samples on MalwareBazaar
TLSH 5E74077711A190B6C1892334E4720F0B3B7CD2241691F29DB14EA2EADD1E39D9EF9379
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37043/
Detection(s):
SecuriteInfo.com.MSIL.PSW.Agent.RUL.5804.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a window
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/406899
Signature
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf2efbd13ace8761d0ff1d9e0952bbacb4c403a0e91d76d0b2cd65b838b4c0a6/
Threat name:
ByteCode-MSIL.Backdoor.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 10:12:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05a155b2e1218708d1803e647ce21abb556abb208d16c7861904f5ea938bde03
AgentTesla
0b95b126cf983c7a26829e8355d66de10cc1e085a3a981703040269ce43f863a
AgentTesla
12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960
AgentTesla
24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e
AgentTesla
256966058fb63c734b270b6842820287bb83a5895d0a14a5b66f52db037405fb
AgentTesla
4cb67a53b9aa137648e0af6235202f2a7ed2def37fa48fbda0ba6a9fb46f01c7
AgentTesla
a415be3007323e2f44f88d02d2a7c5225ae795235d57aba13fa5057ff6acab61
AgentTesla
de989a7339fadd1a4c95ce4ff18fca9959cee32161354062327b52a38541d02c
AgentTesla
df54c4cf12eb9ff00568d4936f2c55a3193f6726b1a7f59c78a88a6f06488dbd
AgentTesla
e363126219327414e0ab73a7b053e3c25bcfd656ff7b3b1f5db6e86076a93986
AgentTesla
+ 35 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200801-efr8bnq4ca/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bf2efbd13ace8761d0ff1d9e0952bbacb4c403a0e91d76d0b2cd65b838b4c0a6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/37043/
  
URLhaus
https://urlhaus.abuse.ch/url/408186/
  
Delivery method
Distributed via web download

Comments