MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93
SHA3-384 hash: 1956f0bedb3f715b11abc690fad1554434b45598d65ba0dbe353fd0298acebd7302d348fc1d116e8557f68b065c840ea
SHA1 hash: e806096ff307d6d308c961b21531cbde7f691be8
MD5 hash: 9c66d28e37853ca1e2481acc88691743
humanhash: oxygen-friend-montana-item
File name:9c66d28e37853ca1e2481acc88691743
Download: download sample
Signature AgentTesla
Create hunting rule
File size:12'800 bytes
First seen:2023-07-01 10:12:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 192:bqwFkb7H0rKTW2eOitM0KNu+6XD5V87W1tflI3o+fJC6myRRW35DVVGV41Z:/UTcOi2026XDSsNI3obHBJ88
Threatray 15 similar samples on MalwareBazaar
TLSH T1CA421A049BFC416BE4BB43BC59A356400B39F7776613EF1E29CD71AA2C123945622377
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MiladGroup_Loader.ps1
Verdict:
Malicious activity
Analysis date:
2023-07-02 00:08:55 UTC
Tags:
loader
Link:
https://app.any.run/tasks/4d7e2635-faa3-486c-8f6c-a008da63bc1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/404845/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67881174.2428.17971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/649ffc2f204315fbc16c0587/reports/c7e79291-b819-4207-a6f0-78dd1fce91cf/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cef0471-61ea-483c-9618-ecd58feb1790
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1264467
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93/
Threat name:
Win64.Trojan.Cusloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-30 11:56:39 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgbp2zfkxxy5m7yazb76twipu7ksxzlcqrzytfken6bisaqf3sjq._file
Verdict:
malicious
Similar samples:
1201be819db6d09ce9bd23656c5bbd7430e0420f30c39afe37b3a4662581f143
AgentTesla
65831b6a853bb664e7f189003da9cdda832e5bcf647c1e262b3bc80acb715814
AgentTesla
66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216
AgentTesla
838ce5b36c1e435c66278140a5ba8c1468f5e844f8cd8dd4aa330c5640b56053
AgentTesla
877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7
AgentTesla
ab8674f0baf9cc51bdb639626664be6917a3682aa7ea25b7c233b673800513b0
AgentTesla
b82291de6b50625fbe64293024d4b7d3f1bc874e14d8a6c613b56cf4c5854d30
AgentTesla
c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465
AgentTesla
fbbad7f1ea80336f2d11ec3df5d547fedcca56d3def4eb369f605122b02f3f34
AgentTesla
+ 5 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230701-l83v2agf57/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6186587654:AAGCfYz_-Ywr0jS403I82r-XCvl_CsLT1L0/
Unpacked files
SH256 hash:
8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93
MD5 hash:
9c66d28e37853ca1e2481acc88691743
SHA1 hash:
e806096ff307d6d308c961b21531cbde7f691be8
Link:
https://www.unpac.me/results/d738f77d-9839-4e91-ab3d-0c5dab509501/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8182fd64aabd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

PowerShell (PS) ps1 312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0

AgentTesla

Executable exe 8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2674880/
Cape
Cape
https://www.capesandbox.com/analysis/404845/
  
Dropped by
SHA256 312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0
  
Dropped by
MD5 afe9a29aebb1d81c76245d7485ec6238
  
Dropped by
SHA256 a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7
  
Dropped by
MD5 e3851631069614440bca9ad8776c6973

Comments


Avatar
zbet commented on 2023-07-01 10:12:08 UTC

url : hxxp://107.175.113.210/976/nmcn.exe