MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e8dcf86827981e1a10f081aed896cb9b70083b800e8ada54159afbfa9fd2814. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e8dcf86827981e1a10f081aed896cb9b70083b800e8ada54159afbfa9fd2814
SHA3-384 hash: fbf699a05e9b35da31e41f2eac81f52cd15890af1843266353967f9f47df60f1dde53dd97bb18afe0cb423a098fb37b5
SHA1 hash: 123db9766101ab6a9cf02f863fa8a303aff84458
MD5 hash: d60bdc4ce9f86b0797bf7312b8b883b5
humanhash: fruit-august-juliet-hydrogen
File name:d60bdc4ce9f86b0797bf7312b8b883b5.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:39'504 bytes
First seen:2021-04-20 12:09:09 UTC
Last seen:2021-04-20 13:01:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:HjCbe16i6KfMNtAWY7WELsQa4a8ChNCjy3U3Lshh:Hj8eI2fMNtA7gQMhwjP30
Threatray 4'083 similar samples on MalwareBazaar
TLSH F803C3AA24907159D9E309B42D62FC743F28A7709C80D10DE466864CCF86BFB74ED9DE
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d60bdc4ce9f86b0797bf7312b8b883b5.exe
Verdict:
Malicious activity
Analysis date:
2021-04-20 12:38:32 UTC
Tags:
trojan dtloader loader
Link:
https://app.any.run/tasks/32317620-fe96-4409-b4f2-de54aff1d2aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/139624/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46134786.16132.14104.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/688985
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e8dcf86827981e1a10f081aed896cb9b70083b800e8ada54159afbfa9fd2814/
Gathering data
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
112f248bd983696a69465381b2ddadd26bb41419c649b54afd83db67bef21e37
AgentTesla
1b2155f2df693ef4f05ea92b20c266af854259620755205ee965fcb1382eb1dc
AgentTesla
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
57237e2f22f1c26b4d77c3b4d66537cc48a03980582100eda2162a78b9a04ce9
AgentTesla
996c7d7177a30556d65872fdff745dd5adcfd6742dea6f71318e8cbc7d4cca26
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
b523f00e6fe208d0e59f58e0d45740017b0659821fc7f9daae35313eb1d9e80a
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
+ 4'073 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210420-jgdpfw2a4j/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0e8dcf86827981e1a10f081aed896cb9b70083b800e8ada54159afbfa9fd2814

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0e8dcf86827981e1a10f081aed896cb9b70083b800e8ada54159afbfa9fd2814

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/139624/
  
URLhaus
https://urlhaus.abuse.ch/url/1072880/
  
Delivery method
Distributed via web download

Comments