MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d
SHA3-384 hash: a7b16ca2434bc8bb0eb9bb56468c86ff9e79d8452c622e0e76ae5e9059215a9ccf868cfd44bf897b9a462a4c5e286be3
SHA1 hash: 61f8d6f962b30df274bf64821709a10816fb9f15
MD5 hash: 218566f78183c63526d589250c454405
humanhash: stairway-yankee-minnesota-don
File name:HSBC Bank Payment Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:898'048 bytes
First seen:2023-02-07 17:11:11 UTC
Last seen:2023-02-07 18:39:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:tbnBFmcWUoN8GEcNEV3A4rxN5IC54TWMxA:tbnBMRzSG6Ntgi/
Threatray 25'410 similar samples on MalwareBazaar
TLSH T1F215014A22ECDAD2D55C4AB99CD4F36C63357D298052CE19BDC0FB8E5A32A4204F357E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b4ecccccd4c4ccc8 (8 x AgentTesla, 6 x Formbook, 2 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe HSBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC Bank Payment Copy.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 04:22:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bb699ec-32f5-42a9-9d87-f1a5387f6960

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361494/
Detection(s):
SecuriteInfo.com.Variant.Lazy.294408.21139.8718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e286662d4f6d560e248d6d/reports/1b5cafd8-cd52-4d1b-ada4-1920907fbbe3/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f44e01ef-4e94-41d1-91c2-b96c0c486846
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1168182
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 02:46:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcewdhenxioq2osswjznmgp5mzmk3sbp2t2e35efqkynmuc7m46q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2
AgentTesla
175b18fc4d1ce73099a94c25d5fee0af5704e47b37803137368bdf416fc8a364
AgentTesla
20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d
AgentTesla
3191fe463f8c9a91ccf9ed9a81daef803f9c184fcb093b24ffafa1f2f318eb64
AgentTesla
4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203
AgentTesla
41857a1bfb1cda7337d39a4c6bcec253fb44532179f9cb12e919608f227e3dcb
AgentTesla
7116f819cf1a305e813cb1bf9d3667fdc18efd1d5ed7e6c5a3afe92c1040addb
AgentTesla
7ea54a151d7340d97ccc3d53dbf82900b2205f0df10b0571a12501ecaad5359d
AgentTesla
f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6
AgentTesla
+ 25'400 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-vqvalscg98/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/29181052-5aac-4f2f-a747-dc2e28dbe9c8/
SH256 hash:
d07def6e413577aa225e848844e5a5f71e504cd73a8e04b969efc5f9a623d987
MD5 hash:
9834b36fa8df55f210f57be19afc9f7e
SHA1 hash:
cd5641c130fcbd0aab2539ac18803d92d2de1375
Link:
https://www.unpac.me/results/29181052-5aac-4f2f-a747-dc2e28dbe9c8/
SH256 hash:
d2701a8e765562b6fa073ac44a3fb4afbd03a036556195b7ac89a6d86ce7e0ff
MD5 hash:
a33d57f3a9805bdebd7c37b54db362eb
SHA1 hash:
580fb27bf7f2da88c0c4ca7ce940d86543f431af
Link:
https://www.unpac.me/results/29181052-5aac-4f2f-a747-dc2e28dbe9c8/
SH256 hash:
5366a27c80fe8cfa03473eccd463b51c6bd8e25ce503501345491d77a582aee5
MD5 hash:
fb3a8aeea8c511db2befe9159f54609b
SHA1 hash:
2d27c7daf3b3e5425de246b0b8aa8a78153f2c63
Link:
https://www.unpac.me/results/29181052-5aac-4f2f-a747-dc2e28dbe9c8/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/29181052-5aac-4f2f-a747-dc2e28dbe9c8/
SH256 hash:
8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d
MD5 hash:
218566f78183c63526d589250c454405
SHA1 hash:
61f8d6f962b30df274bf64821709a10816fb9f15
Link:
https://www.unpac.me/results/29181052-5aac-4f2f-a747-dc2e28dbe9c8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8089619c8dba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/361494/

Comments