MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
SHA3-384 hash: 2d02134630d4fd620dd424ebc953d443b6b6e856f4140efb2c920f800989fb4ab7d40945332e09b980ff89162b746a55
SHA1 hash: 842e6d5d2abe47fd4b5b1d566b6daabb638cd436
MD5 hash: 5b327a3df82cdcd9e52e594b960112ea
humanhash: speaker-montana-indigo-north
File name:Vessel's particular_DRYBULK.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:543'744 bytes
First seen:2021-07-02 06:15:13 UTC
Last seen:2021-07-02 06:16:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8rEFVzMFBlDOdJf6t7ViSy99TRqUU3Kk6A:3a23StRs99TwUCO
TLSH 43C401013D26B282C2598B76C9D3D1A30B306D1E2621DA2E68EC7FEBF5763574F0174A
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Vessel's particular_DRYBULK.exe
Verdict:
Malicious activity
Analysis date:
2021-07-02 06:15:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/af6f9e43-476b-4943-8b01-8738b3b0aadc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Bulz.541197.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61490f28-6aa7-4d7c-aa31-f367ab8abbb9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810922
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443333 Sample: Vessel's particular_DRYBULK.exe Startdate: 02/07/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 8 other signatures 2->40 7 Vessel's particular_DRYBULK.exe 6 2->7         started        process3 file4 24 C:\Users\...\Vessel's particular_DRYBULK.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->26 dropped 28 Vessel's particula...exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\...\Vessel's particular_DRYBULK.exe.log, ASCII 7->30 dropped 42 Writes to foreign memory regions 7->42 44 Injects a PE file into a foreign processes 7->44 11 AdvancedRun.exe 1 7->11         started        13 AdvancedRun.exe 1 7->13         started        15 Vessel's particular_DRYBULK.exe 2 7->15         started        17 Vessel's particular_DRYBULK.exe 7->17         started        signatures5 process6 process7 19 AdvancedRun.exe 11->19         started        22 AdvancedRun.exe 13->22         started        dnsIp8 32 192.168.2.1 unknown unknown 19->32
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 13:00:08 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqeha6vkfxardc62sqy7cehcmxlrnnollpamvcuwkwbizlmlpmha._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210702-ppdwyehzda/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
eee609fd474474c9b2fa5e377ac07ba1f83415f79071285fd36c8ce12c5f19ca
MD5 hash:
4abe5471705ee16443557e1fac51f8ac
SHA1 hash:
0bfc326345f82c51eec584f1c3f8cdc41d705731
Link:
https://www.unpac.me/results/615933e1-d567-464c-9e0a-4682672a12bf/
Parent samples :
6067817a353dc37fdc604639a53a627306c6c2c182b5c1976e14d33fa6375de3
a56f5f192556bdb3fd7af7a7d03750cbb4473b14ecde429a39a1b80ab6c6ab67
SH256 hash:
935cc4754d0a09c7111ba8bbe88cc7696e0091a01043a4a0e4ea8b1b56f0e4d2
MD5 hash:
02d792da6540ee37e2ba52e1d9ab31d9
SHA1 hash:
fe413ee364946a803f576b2e93b48efb175ac591
Link:
https://www.unpac.me/results/615933e1-d567-464c-9e0a-4682672a12bf/
SH256 hash:
7cfa5a1f196a5e5e294132d4611c454ced2990ea5a74922cabad803f78386cb7
MD5 hash:
9e7dfedce029eae8e728d0da4eab29a1
SHA1 hash:
8c20b5893e27ffd0892fbbee88ef66b9d4e33e03
Link:
https://www.unpac.me/results/615933e1-d567-464c-9e0a-4682672a12bf/
SH256 hash:
2a50ced9701a9a96720639860dc0bf573eb6da62e10e44e63f8beb9c294589e1
MD5 hash:
24e4bd3441c505fa8ffcefd6313a96b1
SHA1 hash:
73e6d892e1cf5aba3e567d779cdb3affaa11ee25
Link:
https://www.unpac.me/results/615933e1-d567-464c-9e0a-4682672a12bf/
SH256 hash:
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
MD5 hash:
5b327a3df82cdcd9e52e594b960112ea
SHA1 hash:
842e6d5d2abe47fd4b5b1d566b6daabb638cd436
Link:
https://www.unpac.me/results/615933e1-d567-464c-9e0a-4682672a12bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments