MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0
SHA3-384 hash: 0f30ddaae8eb6e80da4927f2e59d942a991c1b065425f5b6342e672b97d932459e18246d2d2f350f57522c947fb4a9af
SHA1 hash: fa107f67f4fc84687cc0f69cc17b542b099f6de4
MD5 hash: ef60156618f28126ff1bec1f5e03e8f0
humanhash: victor-don-sodium-mirror
File name:SecuriteInfo.com.Win32.PWSX-gen.4961.30065
Download: download sample
Signature AgentTesla
Create hunting rule
File size:755'712 bytes
First seen:2023-07-20 20:30:31 UTC
Last seen:2023-07-24 13:23:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:gWc/bUYIsYolnp93jgcwRx1kHuG0/KVkFu/GqHpSp+fiZfGRVh32+:7iXrYo5UkHuG0/KV1/HBked2
Threatray 414 similar samples on MalwareBazaar
TLSH T1A9F42242B3689D37E56DEFF208B1A1940370A26432C7C3CE5CB226DA1CA67D16965FC7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8e336969f071338e (7 x AgentTesla, 3 x SnakeKeylogger, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.4961.30065
Verdict:
Malicious activity
Analysis date:
2023-07-20 20:34:08 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/37c9c568-0dc1-4289-9d6f-c7a7d7db70ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427215/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4961.30065.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d864dac6-42a2-499f-a661-a9281f7c4771
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277058
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277058 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AgentTesla 2->52 54 Machine Learning detection for sample 2->54 7 SecuriteInfo.com.Win32.PWSX-gen.4961.30065.exe 7 2->7         started        11 NFpegud.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming32Fpegud.exe, PE32 7->32 dropped 34 C:\Users\user\...34Fpegud.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpBAAE.tmp, XML 7->36 dropped 38 SecuriteInfo.com.W....4961.30065.exe.log, ASCII 7->38 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->56 58 May check the online IP address of the machine 7->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 7->60 62 Adds a directory exclusion to Windows Defender 7->62 13 SecuriteInfo.com.Win32.PWSX-gen.4961.30065.exe 15 2 7->13         started        17 powershell.exe 20 7->17         started        19 schtasks.exe 1 7->19         started        64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 68 Injects a PE file into a foreign processes 11->68 21 NFpegud.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 40 api4.ipify.org 104.237.62.211, 443, 49699, 49703 WEBNXUS United States 13->40 42 mail.synergysystem.in 119.18.54.176, 49700, 49704, 587 PUBLIC-DOMAIN-REGISTRYUS India 13->42 44 api.ipify.org 13->44 72 Installs a global keyboard hook 13->72 25 conhost.exe 17->25         started        28 conhost.exe 19->28         started        46 api.ipify.org 21->46 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->74 76 Tries to steal Mail credentials (via file / registry access) 21->76 78 Tries to harvest and steal browser information (history, passwords, etc) 21->78 30 conhost.exe 23->30         started        signatures8 process9 signatures10 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 18:43:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7pe4tmvwfm7evt4herj44bpys52trj5xvlzqvoojb3zjjtvtkqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
AgentTesla
1c71de5816aed5c4f8d677703ee09567ef0b80fb2e50acb2cf1c1ed931660ef1
AgentTesla
339b656f202364608d6b3aab91f86de7cc68ae0b599da1380cd7ff9b31fe7c43
AgentTesla
449947dedfa89870f0f4d5dc86edc66c4656a6f94504167bbe4f803cd5c16076
AgentTesla
830b93cdc24c1d75ee7ba0afcaddb58690f9d3ff96ded60ea5657768b188d301
AgentTesla
942ef672b6f7e6f67a1d4de06e8c25bdb316a74c27ab4602d0ef01c33c9c5e36
AgentTesla
a693f4ed81f9a157d90b2a2e136e60b14b052a008c5c2a07b5f3cc4540be493c
AgentTesla
cb2cbedac34829b45dcc25735d79fb332bed3098741a7ca8a7954de5ceb894ec
AgentTesla
+ 404 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230720-zavcwsbb4s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/de92d692-8143-4e4f-9c88-14f090a32d53/
SH256 hash:
6c9116f3aadc39e58df7a017abf8cbdec73b7fc78c29a180142d796f1841ec8a
MD5 hash:
cfc7905319891aae574c8f0f385190d6
SHA1 hash:
bed1864e1ae21e09cad8a7ffe61b1cbe65fc1c91
Link:
https://www.unpac.me/results/de92d692-8143-4e4f-9c88-14f090a32d53/
SH256 hash:
fdae9509afe5dd9dbdb190bcb35e0ae6eb660b5294241de19c94eb6294fb68ca
MD5 hash:
8e59786522b6f1d13820d1112673fc9e
SHA1 hash:
a6d9374a8c4124fe4198b0ca49aeb56158bf4e6b
Link:
https://www.unpac.me/results/de92d692-8143-4e4f-9c88-14f090a32d53/
SH256 hash:
b33bf3dc3f76df1e99a9c3b9a9be0c70197c2e8ea509a951f1cd22c127fcdfb1
MD5 hash:
e248b2414d7da1dd7aa80e09c3f7ceec
SHA1 hash:
840d826c78b637ac0c45161d5f7f9f739e42dd59
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/de92d692-8143-4e4f-9c88-14f090a32d53/
SH256 hash:
bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0
MD5 hash:
ef60156618f28126ff1bec1f5e03e8f0
SHA1 hash:
fa107f67f4fc84687cc0f69cc17b542b099f6de4
Link:
https://www.unpac.me/results/de92d692-8143-4e4f-9c88-14f090a32d53/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bfde4e4d95b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427215/

Comments