MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08c7314bebaa8766553ecedf92db572d0c434168dd9721967c9d11a48ca4e679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08c7314bebaa8766553ecedf92db572d0c434168dd9721967c9d11a48ca4e679
SHA3-384 hash: 42338afc15c992442e59e2e8b8884eeb5d2d73e87ce79b278718ae942151173686a79f5dc4c6c2fefc76132789344282
SHA1 hash: fac611cfa9eab717732bfe55c76a3c5e9ebbd6f9
MD5 hash: ac54156a7e43cf2ff559eccab719cd56
humanhash: beryllium-floor-nine-twenty
File name:IMG_003_166_372.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:264'688 bytes
First seen:2021-06-14 05:04:30 UTC
Last seen:2021-06-14 05:51:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:SigI1J4iuRpiOIU+S+nRFfpXujHy1lSSz8twyM3Cuj7NkhJU1:D/4iuRpiTU+S+nRFfp+jdI2BM3C27gU1
TLSH 0944F23B52872541E9D20FF66DA05D7AB4FCFB40052F19F3A9452E3FC849B8ADB22215
Reporter lowmal3
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:Telegram FZ-LLC
Issuer:COMODO RSA Extended Validation Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-10-07T00:00:00Z
Valid to:2022-10-06T23:59:59Z
Serial number: 1f3216f428f850be2c66caa056f6d821
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e31f1b9c3ddd0edefdf96f85b8ffd1db976573bb262cc6e1154ad8fdc4d55449
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_003_166_372.exe
Verdict:
No threats detected
Analysis date:
2021-06-14 05:05:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/366fc413-ca67-42ba-8f7a-5cdb75526187

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.835.25596.20514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c532a94-2357-44cb-9104-c5fec17af9a0
Result
Threat name:
Agent Tesla AgentTesla
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/801493
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Detected Agent Tesla keylogger
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433889 Sample: IMG_003_166_372.exe Startdate: 14/06/2021 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 9 other signatures 2->36 6 IMG_003_166_372.exe 25 2->6         started        process3 file4 16 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 6->16 dropped 18 C:\Users\user\AppData\...\IMG_003_166_372.exe, PE32 6->18 dropped 20 C:\Users\user\...\notpad.exe:Zone.Identifier, ASCII 6->20 dropped 22 2 other malicious files 6->22 dropped 38 Creates an undocumented autostart registry key 6->38 40 Writes to foreign memory regions 6->40 42 Allocates memory in foreign processes 6->42 44 2 other signatures 6->44 10 IMG_003_166_372.exe 16 14 6->10         started        14 IMG_003_166_372.exe 6->14         started        signatures5 process6 dnsIp7 24 checkip.dyndns.org 10->24 26 robyngraphs.com.au 192.185.198.10, 49709, 49710, 80 UNIFIEDLAYER-AS-1US United States 10->26 28 checkip.dyndns.com 162.88.193.70, 49708, 80 DYNDNSUS United States 10->28 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->46 48 Tries to steal Instant Messenger accounts or passwords 10->48 50 Tries to steal Mail credentials (via file access) 10->50 58 3 other signatures 10->58 52 Multi AV Scanner detection for dropped file 14->52 54 May check the online IP address of the machine 14->54 56 Machine Learning detection for dropped file 14->56 60 2 other signatures 14->60 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08c7314bebaa8766553ecedf92db572d0c434168dd9721967c9d11a48ca4e679/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bddtcs7lvkdwmvj6z3pzfw2xfugegqli3wlsdft4tui2jdfe4z4q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210614-kan1dyvvza/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
662599bf8a2d1aeb5b6858c0ba275a7f9888d71072a9d7d8249a8140d9bd8925
MD5 hash:
bc3584e1839f7611be49fdafd5d8781c
SHA1 hash:
d887a65b8c7160d69ad36849c3c1232f0b248a6b
Link:
https://www.unpac.me/results/e0b8248c-b54f-494a-a407-a3dfc48202d9/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/e0b8248c-b54f-494a-a407-a3dfc48202d9/
SH256 hash:
a526b7571c3aa2314fd3d18bb6627c049ae15420b6a354fe6cfb0811da9f0df3
MD5 hash:
dbfa9e44f25a952305b431fbccc1f4f2
SHA1 hash:
f84fedf1ffcadc5aced7b24216bfd37da7feeb3c
Link:
https://www.unpac.me/results/e0b8248c-b54f-494a-a407-a3dfc48202d9/
SH256 hash:
895bfdd6e7c61606737a6c427d1be717485e76d680191b09e9f8861750396610
MD5 hash:
0d854682e8c2ae3cf38c90644eeb5b87
SHA1 hash:
ecad7a9d3f0d487f119c54d8c727fb3f18a92f15
Link:
https://www.unpac.me/results/e0b8248c-b54f-494a-a407-a3dfc48202d9/
SH256 hash:
08c7314bebaa8766553ecedf92db572d0c434168dd9721967c9d11a48ca4e679
MD5 hash:
ac54156a7e43cf2ff559eccab719cd56
SHA1 hash:
fac611cfa9eab717732bfe55c76a3c5e9ebbd6f9
Link:
https://www.unpac.me/results/e0b8248c-b54f-494a-a407-a3dfc48202d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/08c7314bebaa8766553ecedf92db572d0c434168dd9721967c9d11a48ca4e679

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 08c7314bebaa8766553ecedf92db572d0c434168dd9721967c9d11a48ca4e679

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/1363896/

Comments