MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08d76dc0333ccb04c7d58c27c319a6dfbcb0f6c91e232b6205e893272574eac2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08d76dc0333ccb04c7d58c27c319a6dfbcb0f6c91e232b6205e893272574eac2
SHA3-384 hash: 7513c14f6134143416134411cd4b7a30ed8511f4b8ff5f25ac81a1811125da0e344157d4a37ab90c6b6d80aae7526d98
SHA1 hash: 7c46d09aa859fd5df51fd7469b2732788fc1d73b
MD5 hash: 84002f5aa1b3b3fe8611666657d71fc6
humanhash: potato-bravo-five-cardinal
File name:SecuriteInfo.com.Win32.TrojanX-gen.29383.6611
Download: download sample
Signature AgentTesla
Create hunting rule
File size:717'312 bytes
First seen:2023-09-05 06:32:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:QoQevB5bcvsCflR+mfNA3GlgElgoTWgME1lQvWRW24DGBFEOoFJnkDwMD8H:QoskCflAysGTfPHRW20GzEOQJnkDV8
Threatray 5'623 similar samples on MalwareBazaar
TLSH T1B5E40284B2A88F17D77F9BF6481461A407FB585B1532F3484CE7A4DB36A1BE14A00B7B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
e6059359-437d-4832-b187-1d8caff82ad4
Verdict:
Malicious activity
Analysis date:
2023-09-05 05:52:40 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/99e940fe-108a-42f6-a8bc-e81bd6851d6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446247/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.TrojanX-gen.29383.6611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64f6cba24578d9c35e026064/reports/129d34a5-1344-421b-8e6e-33898e4d2e79/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/08d76dc0333ccb04c7d58c27c319a6dfbcb0f6c91e232b6205e893272574eac2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a558269-32a4-478f-8db5-2aa70e46afea
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303310
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1303310 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 59 mail.planeteducation.info 2->59 61 EMAIlA.planeteducation.info 2->61 65 Found malware configuration 2->65 67 Sigma detected: Scheduled temp file as task from temp location 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 5 other signatures 2->71 8 SecuriteInfo.com.Win32.TrojanX-gen.29383.6611.exe 7 2->8         started        12 zzHYWxzdzd.exe 5 2->12         started        14 WabOCM.exe 2->14         started        16 WabOCM.exe 2->16         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\zzHYWxzdzd.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp2CEA.tmp, XML 8->57 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 8->83 85 Adds a directory exclusion to Windows Defender 8->85 18 SecuriteInfo.com.Win32.TrojanX-gen.29383.6611.exe 2 5 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        87 Multi AV Scanner detection for dropped file 12->87 89 Injects a PE file into a foreign processes 12->89 29 zzHYWxzdzd.exe 12->29         started        31 schtasks.exe 12->31         started        33 WabOCM.exe 14->33         started        35 3 other processes 14->35 37 3 other processes 16->37 signatures6 process7 dnsIp8 63 EMAIlA.planeteducation.info 131.153.100.231, 49697, 49707, 49712 SS-ASHUS United States 18->63 51 C:\Users\user\AppData\Roaming\...\WabOCM.exe, PE32 18->51 dropped 53 C:\Users\user\...\WabOCM.exe:Zone.Identifier, ASCII 18->53 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->77 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        79 Tries to harvest and steal browser information (history, passwords, etc) 29->79 45 conhost.exe 31->45         started        47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/08d76dc0333ccb04c7d58c27c319a6dfbcb0f6c91e232b6205e893272574eac2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-05 04:45:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdlw3qbthtfqjr6vrqt4ggng366lb5wjdyrswyqf5cjsojlu5lba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16d662bcb526f0bc319671cb02488c7d37a70925d73a04d79c25e3ce0abb5253
AgentTesla
1eba4559ea8e4c4a53804b0258ff3be6082861bd6f9b4b33876c4cb8bba5e407
AgentTesla
2768400847a861225f77e29ea61b399ab730571e068f3fa8a48072c94dc893e6
AgentTesla
2eaf94da95c7c5bfeee85e0c9b2eeb4203bc708e8538061624082b61866bc3b5
AgentTesla
c0d4dfab211b00bc04b0ef763548fe9cd5d0ab7330546875ef1e29adcf33f800
AgentTesla
f4d50f538efd2ade1a4aa8ad827b6885af60dfcee80abe5efce6589318d7b45f
AgentTesla
fabbc9025f69a3acca316e85321c79bf83901f320a03d1efbd864037f5c7085d
AgentTesla
+ 5'613 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230905-ha7jsaeb37/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
55ea20faf9b0c8c00f3d3ea16ff5bfd836fa99f1941946885d45240d2f681f4c
MD5 hash:
eec54763c3b2e33ba860048ffe88f910
SHA1 hash:
8034038ca99a91c8fdf69b1bc745e9dcdaac02e4
Link:
https://www.unpac.me/results/4a65ff6b-39a2-4fbc-b6a4-6e81cedffd17/
SH256 hash:
5d8455af68206ac2fbef02b694294584b9279f0a8b6fcf92b173a2092c6e603b
MD5 hash:
bb3212acd914b7f922a8f3543c9f5e79
SHA1 hash:
3841a03d8dc314be183978860e7d0ee867ef5b22
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/4a65ff6b-39a2-4fbc-b6a4-6e81cedffd17/
SH256 hash:
6d480a8f3a1ca78db6e0698d75fec8bdf2ce12a75fe51c6f98c848615e901147
MD5 hash:
b9dd049bed61b0a6fdc5ad4a96e17ec2
SHA1 hash:
3505dd5c57c10edebab244849c47985e5f65bc72
Link:
https://www.unpac.me/results/4a65ff6b-39a2-4fbc-b6a4-6e81cedffd17/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/4a65ff6b-39a2-4fbc-b6a4-6e81cedffd17/
Parent samples :
cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688
SH256 hash:
08d76dc0333ccb04c7d58c27c319a6dfbcb0f6c91e232b6205e893272574eac2
MD5 hash:
84002f5aa1b3b3fe8611666657d71fc6
SHA1 hash:
7c46d09aa859fd5df51fd7469b2732788fc1d73b
Link:
https://www.unpac.me/results/4a65ff6b-39a2-4fbc-b6a4-6e81cedffd17/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08d76dc0333c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08d76dc0333ccb04c7d58c27c319a6dfbcb0f6c91e232b6205e893272574eac2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446247/

Comments