MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8252ac25f576f23a6225b5bba0fc2936be9e3d1444d54567d672e40a81c8b819. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8252ac25f576f23a6225b5bba0fc2936be9e3d1444d54567d672e40a81c8b819
SHA3-384 hash: d824c03d67aba90ec532bf1cdca726fd93d1a148ab1317ce2e880c71c929f74363a8517243b1ee50444cfce887b8ef09
SHA1 hash: b86d522afed94a79d1568cdbd4859b2f142bbc2b
MD5 hash: 717ee3eb61e97bab2e57e3e7b88275dd
humanhash: batman-artist-robert-ohio
File name:DENSCO QUOTE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:855'040 bytes
First seen:2021-06-03 19:24:21 UTC
Last seen:2021-06-10 08:28:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XqkLhxPO1c/gr0Opi2Yk8esacIjSDLAKXw/GXehoQKpu4OEW6teHBOIFssdsJ7hM:XXPau9OM2539Ihdho6S
Threatray 5'597 similar samples on MalwareBazaar
TLSH CF05392439FA501AB173EFAA8BE4B5E6DA6FB7733B07645D109003864723A81DDC153E
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DENSCO QUOTE.exe
Verdict:
No threats detected
Analysis date:
2021-06-03 19:27:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba3c369b-9173-4dc3-9597-c227f9e0c1c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164497/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796951
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429347 Sample: DENSCO QUOTE.exe Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 6 other signatures 2->51 6 DENSCO QUOTE.exe 3 2->6         started        10 NewApp.exe 3 2->10         started        12 NewApp.exe 2 2->12         started        process3 file4 25 C:\Users\user\...\DENSCO QUOTE.exe.log, Unknown 6->25 dropped 53 Injects a PE file into a foreign processes 6->53 14 DENSCO QUOTE.exe 2 5 6->14         started        55 Multi AV Scanner detection for dropped file 10->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->57 59 Machine Learning detection for dropped file 10->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->61 19 NewApp.exe 2 10->19         started        21 NewApp.exe 10->21         started        23 NewApp.exe 2 12->23         started        signatures5 process6 dnsIp7 33 buynsell.com.pk 194.28.84.37, 49732, 587 HOSTPRO-ASUA Ukraine 14->33 35 mail.buynsell.com.pk 14->35 27 C:\Users\user\AppData\Roaming\...27ewApp.exe, PE32 14->27 dropped 29 C:\Users\user\...29ewApp.exe:Zone.Identifier, ASCII 14->29 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Tries to steal Mail credentials (via file access) 14->39 41 Tries to harvest and steal ftp login credentials 14->41 43 4 other signatures 14->43 31 C:\Windows\System32\drivers\etc\hosts, ASCII 23->31 dropped file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8252ac25f576f23a6225b5bba0fc2936be9e3d1444d54567d672e40a81c8b819/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 09:35:24 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjjkyjpvo3zduyrfww52b7bjg27j4piuitkukz6wolsavaoixamq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
25cf729d7aa6237c733f37219f95dddc7428f459bb18d49a7b6f9f0014c4c9e3
AgentTesla
3f584a0e45a98791e456118d425aed123eab4e8b6c053ff608c48e19da9a59c6
AgentTesla
451e9ec4050240af48536c6f5620741555304a2f5d0524c53a559711434a2de3
AgentTesla
45c22ef191a04d054c8a9e4f873c8ccfe34527944da8c9f60dbb656c7a1dd30e
AgentTesla
63aa4b94125d5fd5621d354452e7f547b5937d099f3b92e1fc111f06136611fe
AgentTesla
6faef4e15fcae0545cbb7cdbb4200f4dcf7c18cdf12b072c65d779acef7d2092
AgentTesla
97660b0a53d557551f406f971bada8f0018180ae891ae43eca4965fee9eb187b
AgentTesla
c479ffce9f101b07f4f6983b3f90f7187966554681051145610b16d84dfc59ed
AgentTesla
e8b4a3da8520ef2fef960477140ece178120610dd34bcaa4c9d0d475ebdffd9c
AgentTesla
f87bef1ec7a4e68e8a9d2765a5fbfe2e0a66144a1efab71af82caad271654ee2
AgentTesla
+ 5'587 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210603-n6hlp254q2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/d3c8d4b1-0998-46ee-9239-79bc9e6a82dd/
SH256 hash:
d82c9148354d3589a773eb711b58df1db58bd48091f9fa7680685b621aa09571
MD5 hash:
4a563732e6cf51098ef1a316252cc9e0
SHA1 hash:
572dcd88699ab96a634d78519c92ec2b68c9bac2
Link:
https://www.unpac.me/results/d3c8d4b1-0998-46ee-9239-79bc9e6a82dd/
SH256 hash:
2883741c6312b6381c622a6dc55eb04b9b07a42aa5c541a82d90163fe44e65c1
MD5 hash:
7e5ca276e3efa597dba0a71a62616e4c
SHA1 hash:
0a5d553e87908d78c3809f837d5341f8cacf52f0
Link:
https://www.unpac.me/results/d3c8d4b1-0998-46ee-9239-79bc9e6a82dd/
SH256 hash:
8252ac25f576f23a6225b5bba0fc2936be9e3d1444d54567d672e40a81c8b819
MD5 hash:
717ee3eb61e97bab2e57e3e7b88275dd
SHA1 hash:
b86d522afed94a79d1568cdbd4859b2f142bbc2b
Link:
https://www.unpac.me/results/d3c8d4b1-0998-46ee-9239-79bc9e6a82dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8252ac25f576f23a6225b5bba0fc2936be9e3d1444d54567d672e40a81c8b819

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8252ac25f576f23a6225b5bba0fc2936be9e3d1444d54567d672e40a81c8b819

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164497/

Comments