MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8704ae52c171fda49a24e3d2b6fbbe3d2f1fad146c6fc50da13f926abfaec8a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	8704ae52c171fda49a24e3d2b6fbbe3d2f1fad146c6fc50da13f926abfaec8a3
SHA3-384 hash:	430f18262f61c1adac8aa81698ab09a8894eb106d531def6bd0fb312fc3b9b415ff6b96264fcfae216b1bc68ff557a54
SHA1 hash:	a3b7fe2080fb8bfa0be0eeb60595fb974d566f4b
MD5 hash:	b729148fba639afc7808ec30e55adf1e
humanhash:	music-failed-fanta-burger
File name:	SHIPPING OFFICE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'137'664 bytes
First seen:	2022-12-23 13:17:45 UTC
Last seen:	2022-12-23 14:29:53 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:SSzEPboCAzqqwlpf2bk9cj/rJQExjLAHKdmignULU2a/Qagh2zixPeJJnZB6VkbM:S4IOGHtyM30mMaXOV3mEpTl8
Threatray	855 similar samples on MalwareBazaar
TLSH	T13035383439FA501AB173EFAA8BE475EADA6FB7733B06645D1050038A4723981DEC153E
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SHIPPING OFFICE.exe

Verdict:

No threats detected

Analysis date:

2022-12-23 13:18:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/43b47e44-eefc-416f-8d2c-b24a2ef87d6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Rogue.0hr.20221223-0236.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/63a5aa8d8a140ed38d7d116f/reports/d237b7b7-69a6-4edc-a6e3-3a5a6fc4d5cc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0345ac9e-9719-4224-ae95-57358abe5d68

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1140014

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8704ae52c171fda49a24e3d2b6fbbe3d2f1fad146c6fc50da13f926abfaec8a3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-22 22:44:51 UTC

File Type:

PE+ (.Net Exe)

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q4ck4uwboh62jgre4pjln656huxr7liunrx4kdnbh6jgvp5ozcrq._file

Verdict:

malicious

AgentTesla

3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f

AgentTesla

73a4ca1224bc4657443596157d3ce150bcd4b6dd32217f2467818c7efea4ee43

AgentTesla

866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7

AgentTesla

a4a93882eebffcb57433742517438c5d56a6d67470a674558f4db52ff4306c9a

AgentTesla

a99c69752668a94268cdb482df74649d755fcf56ecd9f431b1cb03b816a593cc

AgentTesla

a9cf955162a9164b63c70530a2ed72b02ab53f7b39a3a9ece842cd2bebfb117c

AgentTesla

d5f4b34691f83d4e43fca884fd61b14af4893be3843ec3d41ed1c38539b28f6d

AgentTesla

e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3

AgentTesla

f31a80161316f18f20a08fd241e83bd7979c693acd1bd5aa05bca2e52df9babb

AgentTesla

+ 845 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221223-qjybgage26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

8704ae52c171fda49a24e3d2b6fbbe3d2f1fad146c6fc50da13f926abfaec8a3

MD5 hash:

b729148fba639afc7808ec30e55adf1e

SHA1 hash:

a3b7fe2080fb8bfa0be0eeb60595fb974d566f4b

Link:

https://www.unpac.me/results/b97baf75-1257-46cd-bcb6-e7e43892e8c1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/8704ae52c171fda49a24e3d2b6fbbe3d2f1fad146c6fc50da13f926abfaec8a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 8704ae52c171fda49a24e3d2b6fbbe3d2f1fad146c6fc50da13f926abfaec8a3

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample