MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084
SHA3-384 hash: b22d6fe6737c1f58749c8bee9d34ecca57d4ee67832e37fbd46cd8374fd0b6b4e35486c7047457ad5eaf4acd937ff891
SHA1 hash: 0f092118064f45a43a9528d0cfd207f60bae65aa
MD5 hash: 84d3eb45f1ea15290edd4c40af005656
humanhash: one-eight-mars-magazine
File name:84d3eb45f1ea15290edd4c40af005656.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'371'648 bytes
First seen:2023-09-29 08:48:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:qZTgNqg2CeDQ28rWgPamYVVN3LKF+8qRJg3ObFzPHY57DlaufYdTObyY:qKNqFCn2sLPamg10+8O2YjHYjaugdMr
TLSH T1A855DF65942964B9C7FB02374653D64428B85F8DB81FAF6D6026BFE23BFE3C22401D52
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f4e0696de0f4f0 (3 x SnakeKeylogger, 3 x AgentTesla, 1 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
84d3eb45f1ea15290edd4c40af005656.exe
Verdict:
Malicious activity
Analysis date:
2023-09-29 09:29:01 UTC
Tags:
evasion stealer snake keylogger agenttesla
Link:
https://app.any.run/tasks/5d9cdacd-2d60-49bd-a968-811b6a941e37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.18977.24287.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Stealing user critical data
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/65168f4549c6a4ce497f2cff/reports/23c1ee6f-8c52-4c4a-a11c-93f2ca84afa0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bcbaf58-8643-4c26-97d2-2e6b7ab84c1d
Result
Threat name:
AgentTesla, Redline Clipper, Snake Keylo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316274
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Schedule system process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Redline Clipper
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1316274 Sample: bv2D5NMv2Z.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 78 product-secured.com 2->78 80 ftp.product-secured.com 2->80 88 Multi AV Scanner detection for domain / URL 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 17 other signatures 2->94 9 bv2D5NMv2Z.exe 3 2->9         started        13 avast.exe 2->13         started        15 avast.exe 2->15         started        17 avast.exe 2->17         started        signatures3 process4 file5 76 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->76 dropped 106 Drops PE files with benign system names 9->106 108 Injects a PE file into a foreign processes 9->108 19 bv2D5NMv2Z.exe 4 9->19         started        22 svchost.exe 2 9->22         started        25 cmd.exe 2 9->25         started        33 2 other processes 9->33 110 Multi AV Scanner detection for dropped file 13->110 112 Machine Learning detection for dropped file 13->112 27 cmd.exe 13->27         started        29 cmd.exe 13->29         started        35 2 other processes 13->35 31 cmd.exe 15->31         started        37 3 other processes 15->37 signatures6 process7 file8 70 C:\Users\user\AppData\Roaming\wordd.exe, PE32 19->70 dropped 72 C:\Users\user\AppData\Roaming\excell.exe, PE32 19->72 dropped 45 2 other processes 19->45 96 Multi AV Scanner detection for dropped file 22->96 98 Machine Learning detection for dropped file 22->98 100 Injects a PE file into a foreign processes 22->100 49 5 other processes 22->49 102 Uses schtasks.exe or at.exe to add and modify task schedules 25->102 104 Drops PE files with benign system names 25->104 39 conhost.exe 25->39         started        52 2 other processes 27->52 41 conhost.exe 29->41         started        54 2 other processes 31->54 74 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 33->74 dropped 56 3 other processes 33->56 43 conhost.exe 35->43         started        58 2 other processes 37->58 signatures9 process10 dnsIp11 82 api.ipify.org 45->82 84 product-secured.com 179.43.183.46, 21, 49471, 49798 PLI-ASCH Panama 45->84 86 8 other IPs or domains 45->86 114 Antivirus detection for dropped file 45->114 116 Multi AV Scanner detection for dropped file 45->116 118 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 45->118 122 4 other signatures 45->122 68 C:\Users\user\AppData\Roaming\...\avast.exe, PE32 49->68 dropped 60 conhost.exe 49->60         started        62 conhost.exe 49->62         started        64 conhost.exe 49->64         started        66 schtasks.exe 49->66         started        file12 120 May check the online IP address of the machine 82->120 signatures13 process14
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-26 13:50:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=babhmturkliikcyq3a6sq7vihnxlezknv3lc2jkyanys6ax4acca._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:snakekeylogger collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230929-kqf3waac57/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/11511431-c432-4714-b7b3-24f922fd22fe/
SH256 hash:
d6290de8c4f5102165ca16bb5b65dfd3fbdf8baf8f0a73caeff1a33e90c8fa7c
MD5 hash:
512f490f197558ca9afa1c92dbe4c64d
SHA1 hash:
e2ad66737e4f3293d0ba91dc95c753a4f8654388
Link:
https://www.unpac.me/results/11511431-c432-4714-b7b3-24f922fd22fe/
SH256 hash:
dee8eb26e65bf0244ac8b5d6a68fd3852039816753e5ba7da1ef6cc7f99bc1f4
MD5 hash:
55b476cd9307658417e3a32f11e8ec3c
SHA1 hash:
f4d4cd0733cb76852d82b426f45f3ed78f15587b
Detections:
snake_keylogger
Create hunting rule
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/11511431-c432-4714-b7b3-24f922fd22fe/
SH256 hash:
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
MD5 hash:
ed9d91fe584d5109d4067734ac452753
SHA1 hash:
c277e57866833509d94787fc6f4d634a2714825d
Link:
https://www.unpac.me/results/11511431-c432-4714-b7b3-24f922fd22fe/
SH256 hash:
9b95f97f6d13bc5355bee59b316c7630854f27fa06e732ddff048beb71a418cc
MD5 hash:
3db79fffe3d0c29fba8841dc5a90ca38
SHA1 hash:
5d741ee46f1b8ff12fcf202557255bd26b7e024d
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/11511431-c432-4714-b7b3-24f922fd22fe/
SH256 hash:
fe5c1d889311a86b8c0c29a8585acaf79bef3a03c3db746e582dc21ddda60a07
MD5 hash:
7fe292bc5ea2ef1ec95fbe7c4283b69b
SHA1 hash:
1b4ac2a792855b53db41b4280c4f41f60895a41d
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/11511431-c432-4714-b7b3-24f922fd22fe/
Parent samples :
ff777a5e6a54f56d5452624ec6f0cd6938ba286ce648176efeec46fcceed5286
573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761
0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084
SH256 hash:
0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084
MD5 hash:
84d3eb45f1ea15290edd4c40af005656
SHA1 hash:
0f092118064f45a43a9528d0cfd207f60bae65aa
Link:
https://www.unpac.me/results/11511431-c432-4714-b7b3-24f922fd22fe/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0802764e9152/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0802764e9152d0850b10d83d287ea83b6eb2654daed62d255803712f02fc0084

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2714254/
  
Delivery method
Distributed via web download

Comments