MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd
SHA3-384 hash: 13ca55ab64523fdfd021849543da05f435454588d9998fe6e23a7f539db86551ce6f789e43da35c5b95c77748625c1d5
SHA1 hash: 4d56f4cc97feaa2a0811814a2e0df436d1ccc2e0
MD5 hash: f00b2621ba35e3cb7e4eccf8b9dc6328
humanhash: rugby-beer-beer-golf
File name:Revised PI 28 08 2024.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'376 bytes
First seen:2024-08-28 10:15:46 UTC
Last seen:2024-08-28 11:53:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:znPmsw4E9d7xzFoitQVJsK5qIoEFMz5xrZcyG4Z5Sn2lCm3N:qXdftQIKa5xFcyGQeq3N
Threatray 2'447 similar samples on MalwareBazaar
TLSH T14FE4234957882607DFAC4EB351526889D432FBBBC012F2875CDC9AF58F6539CC212E9E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon ccb0e06969d0f0f0 (4 x AgentTesla, 2 x RedLineStealer, 2 x Formbook)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
370
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Revised PI 28 08 2024.exe
Verdict:
Malicious activity
Analysis date:
2024-08-28 10:19:22 UTC
Tags:
evasion stealer smtp exfiltration agenttesla
Link:
https://app.any.run/tasks/604b0723-7abf-4f9d-a593-bce717762ab2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.22182.27814.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cef8e3fe69a9e56049a92e
Tags:
Discovery Execution Infostealer Network Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Connection attempt to an infection source
Stealing user critical data
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/66cef8e55959a837dd11ac57/reports/01871a13-c815-4aa3-b05f-26ce281da837/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4eb2b9b0-acc9-4586-a7ab-70ce82fd0205
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1500400
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500400 Sample: Revised PI 28 08 2024.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 42 showpiece.trillennium.biz 2->42 44 mail.showpiece.trillennium.biz 2->44 46 api.ipify.org 2->46 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 15 other signatures 2->58 8 DfGWPm.exe 5 2->8         started        11 Revised PI 28 08 2024.exe 7 2->11         started        signatures3 process4 file5 60 Antivirus detection for dropped file 8->60 62 Multi AV Scanner detection for dropped file 8->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 66 Machine Learning detection for dropped file 8->66 14 DfGWPm.exe 14 2 8->14         started        17 schtasks.exe 1 8->17         started        34 C:\Users\user\AppData\Roaming\DfGWPm.exe, PE32 11->34 dropped 36 C:\Users\user\...\DfGWPm.exe:Zone.Identifier, ASCII 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmpB062.tmp, XML 11->38 dropped 40 C:\Users\...\Revised PI 28 08 2024.exe.log, ASCII 11->40 dropped 68 Adds a directory exclusion to Windows Defender 11->68 70 Injects a PE file into a foreign processes 11->70 19 Revised PI 28 08 2024.exe 15 2 11->19         started        22 powershell.exe 22 11->22         started        24 schtasks.exe 1 11->24         started        signatures6 process7 dnsIp8 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->72 74 Tries to steal Mail credentials (via file / registry access) 14->74 76 Tries to harvest and steal ftp login credentials 14->76 78 Tries to harvest and steal browser information (history, passwords, etc) 14->78 26 conhost.exe 17->26         started        48 showpiece.trillennium.biz 67.23.226.139, 49714, 49719, 587 DIMENOCUS United States 19->48 50 api.ipify.org 172.67.74.152, 443, 49712, 49718 CLOUDFLARENETUS United States 19->50 80 Installs a global keyboard hook 19->80 82 Loading BitLocker PowerShell Module 22->82 28 WmiPrvSE.exe 22->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd/
Threat name:
ByteCode-MSIL.Infostealer.Limitail
Create hunting rule
Status:
Malicious
First seen:
2024-08-28 07:07:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkidgr6445g23zx6lap2o5vmgevpbppvbdccwzvdnqe6uq44do6q._file
Verdict:
malicious
Similar samples:
20aa510e22a6e0abf81a9cdb4491977cc7035ef0f62bf4e97e880688594707a8
AgentTesla
31bdc1cbcf58dae297131e9f07035d6d33211744187d60ba9272a7bf4c602b42
AgentTesla
7945ab65ff11a8dfe0222746cb2a8dd6feab5428106b0900aee2d695254fbf50
AgentTesla
82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd
AgentTesla
d576e1f7fda1be65966818b172595c210754ff21fc729113c5fa9427143d753e
AgentTesla
ff487e2ea6195cc78c6c3f1d9d23aae0902eec37964143cf85cd425252a0072b
AgentTesla
+ 2'437 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240828-mar7bavanc/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/51b57f1f-f0ab-46d4-b014-122a7fe0b428
Unpacked files
SH256 hash:
bbc2e44d3556706693ff54f32038e0113a4dcc31f6982c1f5e23fcbc612a4b1d
MD5 hash:
4bed8db5ac048ddafc6f1681cc79a454
SHA1 hash:
cf9c9c996b95fc856423ec7a1e4099615b34ef0f
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/dc8162ce-277f-4b58-8c9e-b38318deff3a/
Parent samples :
4d1527ce09d716a68f0a548a3fab80d2223028460e036f43b579f211b91b0ff3
523d949366cc9f4ddfa2d9c261bf1f0741879b32cc821e6e654830184ff4815b
a7ba3de84abf4628a7b7096e7f28b4d8b6946429d6f8b1e8f0b5bd05eba3db0e
6d4a4773e58d272f90abdde88661ce929741814276e20ea43384114f6e6cbbe9
46c5226221c4a2c2a2d46eb2ea34889f2ea736f3ac91bfe800efba0ef277973e
fdf4c8ee3fc626020998a24d5969fd5a30ddd46f64494fe0e74ecd26ca579f5c
35a9609805bde63b4e22255d365fc6a61724fcb9f8456899bb085b76f0160d5d
82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd
f03acdb2a846f8060d76c3d81651949b5699a5dee5b2b26ec238872defd12252
75fdc92b3101bba09f964b73e7931a7b021442e130e64dcc421d155fa50806b7
bbc2e44d3556706693ff54f32038e0113a4dcc31f6982c1f5e23fcbc612a4b1d
851cadfb7b72af94db5c9db85e0d52dfcbf3fa948c7498627e4b67162cff6e7d
SH256 hash:
ae0b8680615ca8134c902ba5e58f82124c94874fd9f9a9176d6752dfde2d639f
MD5 hash:
674563f5cfe5225e5326d24ba4b6cc91
SHA1 hash:
cbbf69eeef1632984a140b0bfe8ee997b8d6675f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dc8162ce-277f-4b58-8c9e-b38318deff3a/
SH256 hash:
cca9dd2796f457a3577f8ffb019b5a919f5c6a2043f576e17f73b04bd9b48335
MD5 hash:
1e05a6df34136b46702b71840e4659f2
SHA1 hash:
20a2e26c3662d28b701ae92d6223e33a6d3c4e2e
Link:
https://www.unpac.me/results/dc8162ce-277f-4b58-8c9e-b38318deff3a/
SH256 hash:
82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd
MD5 hash:
f00b2621ba35e3cb7e4eccf8b9dc6328
SHA1 hash:
4d56f4cc97feaa2a0811814a2e0df436d1ccc2e0
Link:
https://www.unpac.me/results/dc8162ce-277f-4b58-8c9e-b38318deff3a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82903347dce7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 82903347dce74dade6fe581fa776ac312af0bdf508c42b66a36c09ea439c1bbd

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments