MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ece67aa85fe6065793915cbb131064fbbae056c12a0402eac038c23eedda754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ece67aa85fe6065793915cbb131064fbbae056c12a0402eac038c23eedda754
SHA3-384 hash: e7e6af52d8b47a66718b6d2f1b1296c37b5c569f0cfbdfe905abe10cc395f2bd6a25ea4ce494d75c89dc68ca49c57f72
SHA1 hash: 3ed18220bc44124569ba0c2f649b8d81bdd8b23b
MD5 hash: 1816e8da2dee59b874332183ec7d2dc0
humanhash: whiskey-grey-nuts-saturn
File name:nwamaz[1].bin
Download: download sample
Signature AgentTesla
Create hunting rule
File size:877'568 bytes
First seen:2020-07-17 05:41:52 UTC
Last seen:2020-07-17 06:46:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:HrMnqjzGYIdjMxMSo15GXacXYp3uyAjrMnnmo2k4zU8wS/Mt8Vk+pu+Z2lzdLd5g:HrvxguwcLjrkSQ8VkN62lxLdxk
Threatray 10'621 similar samples on MalwareBazaar
TLSH 71154BF79B4D81C2C8AF9EBCC49207710997EDC1F0F5A60B02667C363676BA0D88556B
Reporter JAMESWT_WT
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27219/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WXD.20632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388962
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246672 Sample: nwamaz[1].bin Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 38 mangero.xyz 2->38 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 2 other signatures 2->62 7 nwamaz[1].exe 3 2->7         started        11 nwama.exe 2 2->11         started        13 nwama.exe 3 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\nwamaz[1].exe.log, ASCII 7->36 dropped 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->66 68 Injects a PE file into a foreign processes 7->68 15 nwamaz[1].exe 2 15 7->15         started        20 nwamaz[1].exe 7->20         started        22 nwamaz[1].exe 7->22         started        24 nwama.exe 12 11->24         started        26 nwama.exe 11->26         started        28 nwama.exe 11->28         started        70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 30 nwama.exe 4 13->30         started        signatures6 process7 dnsIp8 40 mangero.xyz 15->40 32 C:\Users\user\AppData\Local\...\nwama.exe, PE32 15->32 dropped 34 C:\Users\user\...\nwama.exe:Zone.Identifier, ASCII 15->34 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->44 46 Installs a global keyboard hook 15->46 42 mangero.xyz 24->42 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->48 50 Tries to steal Mail credentials (via file access) 24->50 52 Tries to harvest and steal ftp login credentials 24->52 54 Tries to harvest and steal browser information (history, passwords, etc) 24->54 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ece67aa85fe6065793915cbb131064fbbae056c12a0402eac038c23eedda754/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 05:41:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
295fcf9d436999a321ff1c4efc6a0191e1efe3d68becd3d9d9965a64f540b0f0
AgentTesla
54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9
AgentTesla
581213d231ae5f6bc23058aaebea8653155500aa5625a4fc7f8b8453c57003bd
AgentTesla
64fdec834bb254bc6e8061d9b2f1109741d2647caf6be88b11634b8dd4e6f209
AgentTesla
6edf56bf042ac4f2cf12f3dcdd5704e71ddeee943463706513ba51123209bc6f
AgentTesla
8660710bcb24ab106401d4d6a610ecfc8f0d7a0335d69b27a698a5471253cb66
AgentTesla
a5bc29d5e6f55ba05f61fff45175d9864ee0b311ad45baf0cfd65c74666da14c
AgentTesla
a85526e4a0f78afd83f57f2d084c0bd4b82846a06a0aef80c473905561dcfb60
AgentTesla
b1135688496020eb3e075121b22fb9c726c6021068ce415be82d8e48540dc563
AgentTesla
cbe0ac62133d33b65e7f70a9b044e2e901fec3c0af0b76ac17ed1450bdb6beee
AgentTesla
+ 10'611 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200717-bvvze4mza2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ece67aa85fe6065793915cbb131064fbbae056c12a0402eac038c23eedda754

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27219/

Comments