MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86f7d6824e26de3b443252084400ace86c647ae384be9642179577fd86283ccb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86f7d6824e26de3b443252084400ace86c647ae384be9642179577fd86283ccb
SHA3-384 hash: e82b2f56720293b4d02db4404b541c47e33505700c722ebdb3aeaec2cd41ac47ffc92eba7a7e43ed1f0bed5d5e1f7d83
SHA1 hash: ca8c4a2292b4ce28af4a31f49e1646a3160d6ee9
MD5 hash: 383c08ca926406a2a7632b75c23460bd
humanhash: oscar-connecticut-magazine-fruit
File name:383c08ca926406a2a7632b75c23460bd
Download: download sample
Signature AgentTesla
Create hunting rule
File size:719'872 bytes
First seen:2022-04-25 16:35:11 UTC
Last seen:2022-04-25 17:38:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:XpMnLRBHXDVWPKtTi2QNdNx9Wfn56P4sF3pTYdBCHJI5+LaQteHNdJIlXl1rW00Y:XpMQaJ18XiZxd5wfBlSArW
Threatray 16'389 similar samples on MalwareBazaar
TLSH T109E4BE177559DA44C5B8BAF562105D9002A2AE8E80B2D6F55CB037B929F73C3FE007EE
TrID 49.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
21.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.9% (.SCR) Windows screen saver (13101/52/3)
7.1% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 0f3375cccc61338f (15 x AgentTesla, 11 x Formbook, 6 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266499/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.AgentTesla.EQX.MTB.1269.7430.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6266cdfb2f162d9fdf66d67f/reports/8ca1fddc-61d0-4802-a5ad-860356db5666/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8bda99ff-57dc-4944-bfe2-36e43b5fe475
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982597
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615086 Sample: 3xGqsmU8CV Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 9 other signatures 2->39 7 3xGqsmU8CV.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\RTCaFUWNckf.exe, PE32 7->23 dropped 25 C:\Users\...\RTCaFUWNckf.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpBC9C.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\3xGqsmU8CV.exe.log, ASCII 7->29 dropped 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Writes to foreign memory regions 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 RegSvcs.exe 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 smtp.utleyglobalventures.com 193.37.212.50, 49765, 587 BELCLOUDBG Bulgaria 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 4 other signatures 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/86f7d6824e26de3b443252084400ace86c647ae384be9642179577fd86283ccb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 05:06:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q335nasoe3pdwrbskieeiafm5bwgi6xdqs7jmqqxsv373brihtfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06440b7c6c51686469c0acaf74959c82d045c48daa6c2ef369404e56f41d3c96
AgentTesla
4154bbb1bc580a874dc084a8017a6bb5a6243c29cddbf47dee3d0ca768b5936f
AgentTesla
4798c1efb308026834b2325d0ce09334304208a0659cecdbbf5b023bf704f0e4
AgentTesla
49a53fb698c6608f315ec4176b93a2334e99cbcc3bb37fab5d3062bc390961f4
AgentTesla
505030a791a0085c41151e5c8c959beb07636b239ae83bdc67f117d11bcfcb41
AgentTesla
5aedb0ba908f5f8051911d2da6de7df46c7729592396cc4d5b6d5ca4312e6f62
AgentTesla
a059d9dac9bc7b44111b295efc8bd368f7c8fff74266531bd66d12c42442c9bf
AgentTesla
a6b250ec9613b293e9333e2410623c19e3e3544df34525a607dd0ecd36f138f6
AgentTesla
bda33bc9b97786bbb80b49d0d17ad8454b0a66f23b380aa5ecae68f86ba6cf8a
AgentTesla
+ 16'379 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220425-t38hbscfg4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
e0a676fddc16b7a2e62b539e60f18654704aeebb969f87a835c77ba18887a059
MD5 hash:
c0f8633c87a2a236186b74aad477279f
SHA1 hash:
745178e432d00910a261d00fbcf002b196562f5c
Link:
https://www.unpac.me/results/ad03263c-8e38-44d7-b8f3-03e345660ba5/
SH256 hash:
eb92d701bb7d84b8f9b5b0aa063482ab1f0f264cb30ad81b1e4fc456aab92a24
MD5 hash:
4369763a26b7374d9b2b202817e8fb3e
SHA1 hash:
b35486bac847839e4869489bd9fc99e0e3f4dc3b
Link:
https://www.unpac.me/results/ad03263c-8e38-44d7-b8f3-03e345660ba5/
SH256 hash:
09cd3bc420c8982190990a9673b58c3ab01e933dff0881f1e521d3316f1b9a6b
MD5 hash:
6933707e111286a128ad0f7fa298153f
SHA1 hash:
d1121c8bed634e9684727e8c0aad3f597b0749ad
Link:
https://www.unpac.me/results/ad03263c-8e38-44d7-b8f3-03e345660ba5/
SH256 hash:
52616ce28190134a8ff88f2ce0c5514d0978beec92ce17c300ecb35df63de9cd
MD5 hash:
7b7dd8deccc21cfba88bd4d68c4e5a66
SHA1 hash:
e6b3253480e6a64f0cd8375f8cf0277a69afdb1c
Link:
https://www.unpac.me/results/ad03263c-8e38-44d7-b8f3-03e345660ba5/
SH256 hash:
86f7d6824e26de3b443252084400ace86c647ae384be9642179577fd86283ccb
MD5 hash:
383c08ca926406a2a7632b75c23460bd
SHA1 hash:
ca8c4a2292b4ce28af4a31f49e1646a3160d6ee9
Link:
https://www.unpac.me/results/ad03263c-8e38-44d7-b8f3-03e345660ba5/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86f7d6824e26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86f7d6824e26de3b443252084400ace86c647ae384be9642179577fd86283ccb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pdb2
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 86f7d6824e26de3b443252084400ace86c647ae384be9642179577fd86283ccb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2163846/
Cape
Cape
https://www.capesandbox.com/analysis/266499/

Comments


Avatar
zbet commented on 2022-04-25 16:35:13 UTC

url : hxxp://198.46.132.168/77/vbc.exe