MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf
SHA3-384 hash: 3f69091892e37548282744ebc0c352f75130a96394a76d52f4f56827fd7688551e5850c59b57b1483779c3b0528f9f99
SHA1 hash: ee7d31f6c90aee06650404f5a6cde136bafb5040
MD5 hash: 1e6729b59117633d3c8b304267159c0c
humanhash: crazy-double-crazy-uncle
File name:NORIDC APOLLOCTM_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:621'056 bytes
First seen:2023-09-14 13:32:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/Kj8FwLm/pLYGVocRDKJ1Gi25AGfnPdCqotNTtsVOzPXf:/Kj8F62X7R2nanlNYTaVCX
Threatray 5'632 similar samples on MalwareBazaar
TLSH T1A6D42385276DEA30D5D617F1B1F4449813BBCB52E62BD7280F8513781E1BB523BC83AA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
NORIDC APOLLOCTM_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 13:33:52 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/9a8873f2-a4b9-46dd-86e7-44569dfdec8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448640/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14326.3800.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65030b8eb572d5a2189c0a3a/reports/c2446e74-f026-4ae8-95fc-54a4c2d6ab86/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1bd5624-c5ef-47db-8f14-3ef81d1cc45c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307904
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 05:44:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 34 (64.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdxcjjzesjwzhdmj6xd4oziov5tvcktehbw5hu5oubuluekxyc7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0157c83047900d2fd372d845d5107e403b7485aa00c3a7b762121f19bdf8b45e
AgentTesla
023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894
AgentTesla
1b16ab38f1808b6853077196891a181f1909607e522bc12535d3e39364055687
AgentTesla
601ca85fa385ee74827fc023fc91c88964e8bc7dd8724305cddf1e089c7d372a
AgentTesla
76c37956d47aeada7e087a7cca0c1da69b6cd2aaaf791f139164a98c664c3dfb
AgentTesla
8418ebee87a14a2ecbf14dcab28b5b311efee6d4a66cf95ff6c748e35320485a
AgentTesla
c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967
AgentTesla
c71536271f3fc6a65fdd6246d476a70213de2d0f2808ca81ae49179b7aa284a8
AgentTesla
dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
AgentTesla
+ 5'622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230914-qthnrseh62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0cc2d545cdbc9aca7ac5732fc2e1858bae1b8c575e67f0b4b8077610c5597806
MD5 hash:
604ba9fe5293c6b09155e9593e5fe8b4
SHA1 hash:
c9ca531c5c50091dcdeabea6af26643e897fe3f8
Link:
https://www.unpac.me/results/528d35db-12bb-479b-a99e-150b07e75c49/
SH256 hash:
5f42b6d6ec968a8294d26d99549841d2322dbc23efd6ca3b8ad3869f897689dd
MD5 hash:
53d319810ae0cd8564fc98e9fd9a3bf9
SHA1 hash:
92dd41995ef5654b9fb8b57e47f072c40713a2c5
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/528d35db-12bb-479b-a99e-150b07e75c49/
Parent samples :
1b16ab38f1808b6853077196891a181f1909607e522bc12535d3e39364055687
c21b9b8bfd4280be82abd38905186dfabcd0f23f3953b2da5e1fac304261f967
08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf
ce3a3c9f22255146152575aa50fc9f5f1ef3f8c96b9b94cd766301045f846612
246d6ffb502aa4b83300c5bb35e008e245ad36d243a83e6bdfee04eefdaac71e
eae8ee79f837443d3f1ca4a05375b801e6f12b5cc9b826312a59efbff650cbdb
0ef85406b6effa7a7ce0748cea4c755efcb8e8ba8cf3201ce8591b3c9acf51da
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/528d35db-12bb-479b-a99e-150b07e75c49/
SH256 hash:
a175da290f95ec3951127fd6a07265a28528c3ecf6debfa2a2578958e7fa66c2
MD5 hash:
2865b0ea215d58bacf16082d270a34e3
SHA1 hash:
03c744eed84e6d9aedbe7871f8c5d7e44f240cb1
Link:
https://www.unpac.me/results/528d35db-12bb-479b-a99e-150b07e75c49/
SH256 hash:
08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf
MD5 hash:
1e6729b59117633d3c8b304267159c0c
SHA1 hash:
ee7d31f6c90aee06650404f5a6cde136bafb5040
Link:
https://www.unpac.me/results/528d35db-12bb-479b-a99e-150b07e75c49/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08ee24a72492/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/448640/

Comments