MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80a38c0e047124fa5f50a18bd1bd466b5914861872ab97526dc7ebf98f46b0a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80a38c0e047124fa5f50a18bd1bd466b5914861872ab97526dc7ebf98f46b0a9
SHA3-384 hash: 4033c155171990ef95c5299aed6ec8106bc241770a73e9f0bff44f76b3e39d4ba9b9888d2cf78a6a5aa7a35ae3a34cbe
SHA1 hash: daff4d45d4ed4d92c2aaf0eb46a439b8d5233af5
MD5 hash: 724589c0223c4b60360aa2dcac574343
humanhash: artist-indigo-south-item
File name:PO_CZ_08_06_21.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:575'488 bytes
First seen:2021-06-08 14:12:25 UTC
Last seen:2021-06-08 15:55:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:6QH9SUkKJuU6s/uLdYN8bMsRhQMk9oyFfbDXJe+yhdjVxcj:nH9ShFU6BnNm3jZZJQ
Threatray 5'924 similar samples on MalwareBazaar
TLSH 74C4F1132F19DA13C10117B85AC6C2797BB16F542B278306DBE1BEBFBAF17126C86581
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_CZ_08_06_21.exe
Verdict:
No threats detected
Analysis date:
2021-06-08 14:25:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/409060c8-939f-48ba-91a0-a20007a00ec6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165412/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798908
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431302 Sample: PO_CZ_08_06_21.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AgentTesla 2->36 38 6 other signatures 2->38 7 PO_CZ_08_06_21.exe 6 2->7         started        process3 file4 24 C:\Users\user\AppData\...\PO_CZ_08_06_21.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->26 dropped 28 C:\...\PO_CZ_08_06_21.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\...\PO_CZ_08_06_21.exe.log, ASCII 7->30 dropped 40 Writes to foreign memory regions 7->40 42 Allocates memory in foreign processes 7->42 44 Injects a PE file into a foreign processes 7->44 11 PO_CZ_08_06_21.exe 7->11         started        14 AdvancedRun.exe 1 7->14         started        16 AdvancedRun.exe 1 7->16         started        18 PO_CZ_08_06_21.exe 2 7->18         started        signatures5 process6 signatures7 46 Multi AV Scanner detection for dropped file 11->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->48 50 Machine Learning detection for dropped file 11->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->52 20 AdvancedRun.exe 14->20         started        22 AdvancedRun.exe 16->22         started        process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80a38c0e047124fa5f50a18bd1bd466b5914861872ab97526dc7ebf98f46b0a9/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 14:13:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcryydqeoespux2qugf5dpkgnnmrjbqyokvzoutny7v7td2gwcuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
1ffd9ccd21638268b51e34279dbaf228ff9ba166f704317a6d57b3ac91a65a3e
AgentTesla
337a895245dcdbe522c4320dbe1dfd62e346aecad8246f9b895a5460211865b0
AgentTesla
360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca
AgentTesla
4b0e5ba2dd00abd0126cccabaf2b107a218040f555cd0432858a25de12cbdb36
AgentTesla
517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
AgentTesla
916ba1be726e073d46ce02d5697723823362efc881a4d13aa803fd137fa63adf
AgentTesla
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
AgentTesla
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
AgentTesla
ca146513d9ec6ec60b81b20fd9aa2f262c54d447e8361417c3c4b7678e51e6a5
AgentTesla
+ 5'914 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210608-mjvpfm3ybe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
f12d0f5710fdfa5fe3d420a94efcd9485c47c5ee5158e422834d8d81b278333e
MD5 hash:
57355cbc2053cad81ace7c73d2e107df
SHA1 hash:
bbf555e9be1041656d15e8da916cb26be28de742
Link:
https://www.unpac.me/results/058a579e-73bb-4bc2-a9e5-a01a5d0730f4/
SH256 hash:
f4c0642bed1f0b49f8b6e5252cec4f4f1c5613e219a58aeb38e678c440c9cb06
MD5 hash:
445c3e7eaade55fd88725e1941c97d7b
SHA1 hash:
007042439bbf0083296035327a117978b857f33f
Link:
https://www.unpac.me/results/058a579e-73bb-4bc2-a9e5-a01a5d0730f4/
SH256 hash:
ba491f72333dc5325fa1800d549815fd03c210ad9170cd71d4c17920e2367b15
MD5 hash:
9b3e09324ef98f5c26757a8f9ccab0c4
SHA1 hash:
0fbb2b3cbfbd3c4190ef2d6e627dec0648658a19
Link:
https://www.unpac.me/results/058a579e-73bb-4bc2-a9e5-a01a5d0730f4/
SH256 hash:
80a38c0e047124fa5f50a18bd1bd466b5914861872ab97526dc7ebf98f46b0a9
MD5 hash:
724589c0223c4b60360aa2dcac574343
SHA1 hash:
daff4d45d4ed4d92c2aaf0eb46a439b8d5233af5
Link:
https://www.unpac.me/results/058a579e-73bb-4bc2-a9e5-a01a5d0730f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80a38c0e047124fa5f50a18bd1bd466b5914861872ab97526dc7ebf98f46b0a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 1b7b82ff5179f9aad499e049e6306220ddbc70740d1d76abb2efb0bef784cea7

AgentTesla

Executable exe 80a38c0e047124fa5f50a18bd1bd466b5914861872ab97526dc7ebf98f46b0a9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1b7b82ff5179f9aad499e049e6306220ddbc70740d1d76abb2efb0bef784cea7
Cape
Cape
https://www.capesandbox.com/analysis/165412/

Comments