MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
SHA3-384 hash: af95b90b3a0f6f9f6c127dd8d5d0a5ec45bf8aa443cfc77028492b22cdc443b775f99db73cfa339c33ca2fff9a9ae1e4
SHA1 hash: 1b0742f34f262997912e698a589968a3c83fb4ab
MD5 hash: b0f8a6b66bcce02b26ef77827b3ae9ce
humanhash: cat-idaho-carpet-cat
File name:e-dekont_html.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:839'168 bytes
First seen:2023-08-09 17:39:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:iIaik1YB0ogi2PSG0SKi6agyY2q20WlJ:iIaikqBFgtPSn1yY2q20WlJ
Threatray 979 similar samples on MalwareBazaar
TLSH T14A05E0093114C589C5FA25B6E850A1F80FB7BD25E831C24F9AEE3D6F3BB36564D00B66
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
e-dekont_html.exe
Verdict:
Malicious activity
Analysis date:
2023-08-09 18:00:04 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/d1d955db-84a2-40b3-9334-1b6f9f8b5f94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441736/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdaedb7a-147a-4342-9761-5fea5b5945f1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1288833
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1288833 Sample: e-dekont_html.exe Startdate: 09/08/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 7 e-dekont_html.exe 7 2->7         started        11 VtriwKfDgx.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\VtriwKfDgx.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9F64.tmp, XML 7->37 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 13 e-dekont_html.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        55 Multi AV Scanner detection for dropped file 11->55 57 Injects a PE file into a foreign processes 11->57 23 VtriwKfDgx.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 39 cp5ua.hyperhost.ua 91.235.128.141, 49700, 49701, 587 ITLASUA Ukraine 13->39 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->59 61 Tries to steal Mail credentials (via file / registry access) 23->61 63 Tries to harvest and steal browser information (history, passwords, etc) 23->63 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-08 21:58:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5bg6f45yabmdlgktvipz53mvvquutvpac4busuwbbaovhj7xmha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10ebe0fe04beae12147976c041e93e653c69cc16b5a21e43b2c5215c49c7ac83
AgentTesla
1496cc2741444b58ba3815b091ca257bbd9f17e85ba4d00fc26d725b6b8be422
AgentTesla
2e1b26c1e78f2bf90aed295cd607f18317876ff2c1910f948c7967353a185fa4
AgentTesla
4fcc49b2eefbff7e79c4ff61b3891f766b8530a75e0a748fd66ffc67911cf377
AgentTesla
5aa663f88bbd1d58ab129a4ded631a1d93ce4e13a5bfe7e0d933ddd1453d55a4
AgentTesla
604ee098f44bf5571e6f360dcd1995d4c96e45ee2c2aacf8fa349b62f520ee1d
AgentTesla
a53b6e198a7acfa16c86f39d607493cece30246a4c4195663a52eb80e3fd1820
AgentTesla
a540f9417751bf4d120f8c586b55961dd659ecab3045ac112c0057287d4816a2
AgentTesla
dfe0f95ffc9ad74d75e0c2089a34fd96594e47b9c635eb5c884cec8f1d20ef0a
AgentTesla
f85606df4b72e97d27d10edac888f969bd3dc01500a3318100cdd048c6e790e9
AgentTesla
+ 969 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230809-v8wamaea26/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804
MD5 hash:
74ed681a2d7aed1dae5627d4367474f8
SHA1 hash:
cad2df636d3f0710f69fdb18cbae03a332341dd3
Link:
https://www.unpac.me/results/71681fbe-fda5-4877-899d-778933f9e86a/
SH256 hash:
0a6bd230f852b0ea44610bf025b8a6388b50281a53c605782f02db246ab8423b
MD5 hash:
9f1bce530f26ae3644830b6ee8a58c07
SHA1 hash:
acafe183f3b5af3e5eba3c1160fae890e2b2a979
Link:
https://www.unpac.me/results/71681fbe-fda5-4877-899d-778933f9e86a/
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/71681fbe-fda5-4877-899d-778933f9e86a/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
6f31cccf8c0f07645b4e89befbceb610aa7e2f012e2936c0e91d3081ca5150a2
MD5 hash:
1631263680116ff0ed8fdfdd6cbce9e9
SHA1 hash:
20d57a0b53e7b0166f33a32f282a5cf7a3e72e06
Link:
https://www.unpac.me/results/71681fbe-fda5-4877-899d-778933f9e86a/
SH256 hash:
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
MD5 hash:
b0f8a6b66bcce02b26ef77827b3ae9ce
SHA1 hash:
1b0742f34f262997912e698a589968a3c83fb4ab
Link:
https://www.unpac.me/results/71681fbe-fda5-4877-899d-778933f9e86a/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87426f179dc0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441736/

Comments