MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e
SHA3-384 hash:	ac1f0ba54d33e9648f4c1ce27c8c53848bf10b19ca6ceb128d1b6ede74b3a3338d7fb39bea66c4c97f4d5eaea92797da
SHA1 hash:	115d7b4088d5971ce4ed242d4b529cfac084bc2d
MD5 hash:	2ec20217eeee13fa3c35eafaaa82cf20
humanhash:	jersey-emma-missouri-chicken
File name:	swift copy of $63,260.00.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'162'240 bytes
First seen:	2024-08-01 06:40:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8aTLewTY7OiA58q:zTvC/MTQYxsWR7aTSlD8
TLSH	T17B35BF0273D1C062FF9B92734B5AF6115BBC69260123E61F13981DBABE701B1563E7A3
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	threatcat_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

327

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

swift copy of $63,260.00.exe

Verdict:

Malicious activity

Analysis date:

2024-08-01 07:09:17 UTC

Tags:

stealer evasion agenttesla exfiltration smtp

Link:

https://app.any.run/tasks/0a7f20b6-67a4-48bb-abef-151f34536b43

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ab2e0f037b02d0daecdd63

Tags:

Execution Network Shellcodecrypter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc packed shell32

Link:

https://www.filescan.io/uploads/66ab2e089149fd55f9932fd8/reports/c853a765-0943-4487-a9ed-03e8536044ba/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bda9af78-93c7-42a3-b747-a094ace03b8c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1485813

Signature

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-08-01 01:46:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kcg6hcznmbom22eg3liyrykr4mdbrfxxsx6h5zqnwgbds7i3hf7a._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla credential_access discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240801-hfsb2s1erh/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Credentials from Password Stores: Credentials from Web Browsers

AgentTesla

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/15b169b8-482b-4dfa-83e6-d5aaddb84fc7

Unpacked files

SH256 hash:

aa4240d3c6a1ba38ff9c7abe3455a20c782b5e3aaa96af6e4332bc9476fd656e

MD5 hash:

06af3c3f7b31c9d3d27981a0842dacb0

SHA1 hash:

407cc724660e5787cf05e03b08c6f28b4835d51f

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/138121c2-cf29-4cf4-a97d-5726b9704ad4/

Parent samples :

5c1009bc821a697905465a8c104b90813332d5815a85b73cea23131b930db557
db083048a859cc61f02d17f62e940ca93ae1e986c91d80a8c7b5300fb80e3eb4
fe2a9ae78a0634c404db5100489e946283cfedf0240ddf57e7b4f17dfec30162
09c2bde39a42e15cf277c4d992c091a5832a396cf314345e9c233d786dc3438a
e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0
18f7507efdb35483a8642553f66647b9c1cc54d67614782622b7a64261042924
a3d537273efd479c1cc02c3d7e288482b495d119ffe172afa28aa33a6c90522b
bf2bb447f3c3344ff70beede0d0889840d533b011f963136b9e3b1bf897f7991
afccbcb46f3ef4814055e5d4acbef95679cb05e80c7b57cdd49df43234cfae66
df83a2880c473c9491465e517ca3fdeefb533e3520b13432b7e6f063ccea8247
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
d18d881b4d582a792946d651f91f77a1b68b23b2abada7cb9b864ce4da24dbee
cda61139578f1cb169cfaa8b588dd7691c4f912baab91ad355ced6ea3edfdabe
c897b3234947f6478f99c333ecf8b9f06a52d8058de70fc5e6eb09aa4195d214
2cd4a1b5a6970f10245111eed4113323d391b1fe221f01fa11ad0d9695b82ea8
ec9b3edc6fdb39696ddff5fa0cba95f486c7fa765136eb92d78c94f57e37ccdd
ce69c0e4efa80c87b672f5fe7ec35808b24d05a1feffba954720e8a801a8acac
7d32ffb777ed327a39961748d04917f29b52bf373e7cb07a64cc86ebc172352b
f0a1308efe7bcf1be384db385b8183f48c5f1c2432da2322263b90f01a0820aa
ee58426723ce085d5ec2a045c3e020bc0b9ab6dc90e16ad1c2b8bac0804a2604
524cc2764d1bab453b5148129ee6942b8f6dca3fefa60a785d3d0f96848290ba
553efa334e9610ef0f28120965724b031ff0f26fb16e8aa23098c8af570ebc51
ba84ff47581d052e6fefe8f380126d6f770b6307b7d512388907225b576749d2
eb89a7b195591d21c6f902d02560d4b2d1d1837fd94d404c3211e9f4ae12444d
c7dc84187ebfc4521a3fe173e5b59850c753251a1a935b294c0a6fb63d6c9315
feb7b9b695fa6e3d5c9d19b4309aaadada0b15529364e17781e91553dc7e3406
508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e
e4d1908e539f5c7bcc6960d7616c88db9a0382e76186f28026e4f659b1ae058d
31ed160a5d6da518efe41113124db5c203316a965ccce18cca9e0ead7bac96f6
5dd25e32ca50fdacf6b304cfebd5d222141b9a13d9120c3a61342ff4588c85f0
96d2a9befbbed1913469d5e03f50cbbd700311f7cb8d87dc28d325be258cf35b
0d045677fbab19a80b17225c90ecca8fb973f67db71e7f86df8af5c25e0ac7a6
f9898f9bbef6d022dd0ce4343009f8d8ec465322ec384723e565a7ff0db259e7
87044fd80bd4cb7069021fa48e337e1ffc5d6f192932645045536ffccab8c4db
0a5816f1e55e810043fd6ac8a6d28eabd755696e76cf1b96d9fc3680c8af6177
3add79dac5ae034342c137acedfc270130622c6ccb3db23c36b3483a06c4fc96
c0606c7a28717e12ff2ba17844d4be166dcc9cfa060c98d0bd3b940c79d81ef8
d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
317d4b1683e217b6af80de147bbeb8581255f320dd11ca5c13b0796f837d42aa
fd9725ecc7ed625c2174660e7f51f647fff9474f4c21c8ed84e0608bbcc5a409
67a8b2077a1aa43d393b1f843e556fd030c13dbe7a0e041d41c86fe233bddb38
18bdc6654a91219d11b56059df0aa5bdce67e8db3faade250c5d40dba9cf0e9b
97565e05b015972c9b22a7b55d9e68c6f8d0bc90693731cfc1c925a127611800

SH256 hash:

508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e

MD5 hash:

2ec20217eeee13fa3c35eafaaa82cf20

SHA1 hash:

115d7b4088d5971ce4ed242d4b529cfac084bc2d

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/138121c2-cf29-4cf4-a97d-5726b9704ad4/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/508de38b2d60/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample