MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e8e58c496deb4d68f8e9ca4c481bdc2522343ecc6a6ebd151f1ed8926e6be1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84e8e58c496deb4d68f8e9ca4c481bdc2522343ecc6a6ebd151f1ed8926e6be1
SHA3-384 hash: ebc0a9f3d5a7e035a70cb1a3dbdfef3fe51b72502422ebfcffe215311ab12660845f7c85165e0008df5334acc1680d6f
SHA1 hash: 5b476421e5c7b276a8b16d89b6cc48663debf93b
MD5 hash: 5a9b29cae0880b64e4cf0c6228667f69
humanhash: may-kentucky-leopard-robert
File name:PO #1254352738456548.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'018'880 bytes
First seen:2021-02-01 09:39:07 UTC
Last seen:2021-02-01 11:39:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'796 x AgentTesla, 19'697 x Formbook, 12'276 x SnakeKeylogger)
ssdeep 12288:yFyq5x3bQIHTX8jp+fxC1+0wZJbTt/cQ0koOaywCaQ1FtZEVSeDF+J1y4vSsFR:05lNHTsjECkpZ3SywJ6BEPF+yW
Threatray 2'352 similar samples on MalwareBazaar
TLSH 08258C117298891DF5BBDBB6A1B45004CBF9F813D337CB9EE495145B1EE2381DA8B322
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO #1254352738456548.gz.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 09:49:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5944987e-ba72-47a2-9763-f7e7f17e69b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114441/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/595146
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/84e8e58c496deb4d68f8e9ca4c481bdc2522343ecc6a6ebd151f1ed8926e6be1/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 09:39:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtuoldcjnxvu22hy5hfeysa33qssenb6zrvg5pivd4pnretonpqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c968812016cb812761201cb8a719e1bb6a420e0d50dcf87947b4da6cc975dad
AgentTesla
107c9cd667e0d508999e4117d8674f99c381033c2c8dfe7a2c177c98b315fcb2
AgentTesla
1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b
AgentTesla
3ec30d1c917eb74866b2781378705a516936c03f7ac71b528cf6546d579e76c4
AgentTesla
43891ebd12a33234d3776da3e200f2d778cc1a169050f3db729ceb8838f0ebd1
AgentTesla
5b3267deb2e1a7d15a607c191a58af5da2ed5de23655ceeb4b0280fe6f0d5a7a
AgentTesla
7d96ab4976c244b72c06745ce7764de1e23d80239b5d435ebc27b6554a6c79da
AgentTesla
8ca38b4cf8849e7b7d18cc8afdae915c4dedc2f5aaca4b9a4fd57bdfd5e25a25
AgentTesla
c994527dde6d28e0e8312f6de0e4183239c438d7f2819da99ca54a70b5fd6241
AgentTesla
da9b1555b574d5e9b340f3993564550e0659f08b24856184a9eb543f4700e7e8
AgentTesla
+ 2'342 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210201-ywy2na47es/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
9dbe0943a236299fce096c920e48f189506d22890876b5125863f629944b2448
MD5 hash:
938fdf988619893393e9c08ab5c5bc90
SHA1 hash:
c13896a794dd81219dde3e8492da14933a95dfa8
Link:
https://www.unpac.me/results/a80d9d41-366f-494d-a819-f6835f89a719/
SH256 hash:
d6ac94939e1a7c4970b5762b2e87f80ba62c637722428bb7695e4b0ab0e532af
MD5 hash:
8a9645c3403eecad337d866d563e38d1
SHA1 hash:
8f93977d7a32aedad622833fb3ebf0ae09753496
Link:
https://www.unpac.me/results/a80d9d41-366f-494d-a819-f6835f89a719/
SH256 hash:
4921ef47abe92c12d3b7cb03edca66b76ba2f6a0241b933f0063eb1c67816c33
MD5 hash:
a56114daacde1b39b8f9bae8a78dc2a1
SHA1 hash:
0924ea3a0094d7810a135ab36cec50e1e05bc7b9
Link:
https://www.unpac.me/results/a80d9d41-366f-494d-a819-f6835f89a719/
SH256 hash:
84e8e58c496deb4d68f8e9ca4c481bdc2522343ecc6a6ebd151f1ed8926e6be1
MD5 hash:
5a9b29cae0880b64e4cf0c6228667f69
SHA1 hash:
5b476421e5c7b276a8b16d89b6cc48663debf93b
Link:
https://www.unpac.me/results/a80d9d41-366f-494d-a819-f6835f89a719/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84e8e58c496deb4d68f8e9ca4c481bdc2522343ecc6a6ebd151f1ed8926e6be1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz e02e3a55c56c9f06adc094d43ace3ade5c7ed8b193b687a282d7c17abbeb9fe9

AgentTesla

Executable exe 84e8e58c496deb4d68f8e9ca4c481bdc2522343ecc6a6ebd151f1ed8926e6be1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e02e3a55c56c9f06adc094d43ace3ade5c7ed8b193b687a282d7c17abbeb9fe9
Cape
Cape
https://www.capesandbox.com/analysis/114441/

Comments