MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c
SHA3-384 hash: f542913e84235d4552dde659ef7c0f6aabede30a9572b57a24bccac10aba51c07fd25989dad23a47b2005b18732d6cfd
SHA1 hash: cf0b73e45c0239865d3be930aced04a1513d0194
MD5 hash: 7fb34ce8d9791b9ecfc9ceec60fe4c5a
humanhash: moon-connecticut-island-coffee
File name:AWB & Shipping Document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'124'352 bytes
First seen:2021-01-14 09:58:42 UTC
Last seen:2021-01-14 11:46:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:3WiNgCL6+zm9cLDZvoCiQ5edf+YTx2Ge8pGXJf7vEqzOAZAMjEd997:3W/UXzm9cHWCd5edHTO+GXJTtVj8
Threatray 2'206 similar samples on MalwareBazaar
TLSH FC352A40BBD85700F3BD27BC697040615BF5FB95ABB9E31CF86C506A1BA2D5080BE762
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
4
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB & Shipping Document.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-14 10:02:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/54d2fd05-94c5-4272-8aa9-588b0c8b7751

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111984/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.504.6369.25413.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581116
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 04:45:00 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bd4pwbeekxvkohhrknsr4legipqwngwstps7ki66bof3hgmw5ewa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2120a958805532d53821fb90eaaa140d8a6461f667b392e352311ff896465f46
AgentTesla
38dac51ef91ec8f45bdb2749e2eec758b07e7b9855f2b9b25d2e59783ba9ff41
AgentTesla
3dde92f19924860f0874ee0fe3fab80a1112c20e18d9782528bd7c471f0f2344
AgentTesla
3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd
AgentTesla
5b7c7d4bf17521dddc7ee1accfee37d1b50e89f634e7c67439ae92dcef4c32e3
AgentTesla
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585
AgentTesla
8ca38b4cf8849e7b7d18cc8afdae915c4dedc2f5aaca4b9a4fd57bdfd5e25a25
AgentTesla
9010e5361743ddacac6baa4a585ed4d9db9ed3ce65401b012d16923afebe414f
AgentTesla
94f81943be519b482170b3ff9d5091adc1e4a001cc5094ff5c71e9466f69b2f3
AgentTesla
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
AgentTesla
+ 2'196 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210114-zhdycf76es/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c
MD5 hash:
7fb34ce8d9791b9ecfc9ceec60fe4c5a
SHA1 hash:
cf0b73e45c0239865d3be930aced04a1513d0194
Link:
https://www.unpac.me/results/87ba8124-864d-4ab6-99e8-0d896e0b3f0b/
SH256 hash:
f60bf34dbcbfc161410eb2697d8daf09c9d7d012802709aad1ed5e4251dca489
MD5 hash:
ca941434cd4361cfdd89e106f53d52a1
SHA1 hash:
08c08243cae17893fbd66a0e5e8604ac99652a0e
Link:
https://www.unpac.me/results/87ba8124-864d-4ab6-99e8-0d896e0b3f0b/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/87ba8124-864d-4ab6-99e8-0d896e0b3f0b/
SH256 hash:
6f65f595dce9ae3d40feb922be2661ad2bf0935c08d40bc42066e9d6f09525a0
MD5 hash:
05ddb770604d904f62a1a21b8034e548
SHA1 hash:
dfe61aaa2d779dca953da8239c34d703b681399a
Link:
https://www.unpac.me/results/87ba8124-864d-4ab6-99e8-0d896e0b3f0b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 8a647e8b1cdc8ea6528a855f7f279334fb7fd7f4f4edde011bfa9acfcc34378e

AgentTesla

Executable exe 08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c

(this sample)

  
Dropped by
MD5 44bfe4023ad9825c4261798276d5d8d2
  
Dropped by
SHA256 8a647e8b1cdc8ea6528a855f7f279334fb7fd7f4f4edde011bfa9acfcc34378e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111984/

Comments