MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f
SHA3-384 hash: fe98fd640c1b51bac5a12ab69ee2848d571c28bd10a3be8a8ea6c32202ed1ba674f5f47757611fcf057a69e4cc23d363
SHA1 hash: 153a2cdab525f2cfe57f6dce6e1e85b61406f671
MD5 hash: 6f4ddd69f8ba210c0df75d9147be756a
humanhash: social-moon-snake-artist
File name:6f4ddd69f8ba210c0df75d9147be756a
Download: download sample
Signature AgentTesla
Create hunting rule
File size:508'416 bytes
First seen:2022-11-19 06:11:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:XyNJqds0tVx78AfOFKXSxsiP1sGgP03m223HlD9qiPeW69UqCdGRk8gmr:XyCjwX+i6PMd23HlrPy94+z
Threatray 615 similar samples on MalwareBazaar
TLSH T103B42345A781536CFE22A9F6A74BC6B35AD14A63BDD4478C8F4C0E801C701C9D7ACAA7
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry HA-22-28199 22-077.xls
Verdict:
Malicious activity
Analysis date:
2022-11-18 22:51:25 UTC
Tags:
macros opendir loader
Link:
https://app.any.run/tasks/656e6569-4de6-43cd-b416-7a24c4dc000f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336023/
Detection(s):
SecuriteInfo.com.Malware.PDB-43.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637873b4f75d59fef0b9df42/reports/263ce846-f1ed-4ef2-96ad-c54161633fcc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/371c0d01-f784-4277-9420-e2054d7ea7f4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117023
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 749735 Sample: bSPRpBND9K.exe Startdate: 19/11/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 6 bSPRpBND9K.exe 1 2->6         started        10 eMQgSf.exe 2 2->10         started        12 eMQgSf.exe 1 2->12         started        process3 file4 29 C:\Users\user\AppData\...\bSPRpBND9K.exe.log, CSV 6->29 dropped 61 Writes to foreign memory regions 6->61 63 Injects a PE file into a foreign processes 6->63 14 CasPol.exe 17 7 6->14         started        19 CasPol.exe 6->19         started        21 CasPol.exe 6->21         started        23 CasPol.exe 6->23         started        25 conhost.exe 10->25         started        27 conhost.exe 12->27         started        signatures5 process6 dnsIp7 33 discord.com 162.159.136.232, 443, 49718 CLOUDFLARENETUS United States 14->33 35 api.ipify.org.herokudns.com 3.220.57.224, 443, 49717 AMAZON-AESUS United States 14->35 37 api.ipify.org 14->37 31 C:\Users\user\AppData\Roaming\...\eMQgSf.exe, PE32 14->31 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file / registry access) 14->41 43 Tries to harvest and steal ftp login credentials 14->43 51 3 other signatures 14->51 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->45 47 May check the online IP address of the machine 19->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->49 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 06:28:34 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5k3esjbf3idvt2a23acrfhmljepmiys272n7oaczmlyq3mmsixq._file
Verdict:
malicious
Similar samples:
1ee453a94d90e6bd3615d306d7139c3abb5b7ea4f9f817a10218606c4aadcddf
AgentTesla
2c965072de3cd60d9dc8c066b9e5bd3130e0d03a0502e9598dc5493b2297f290
AgentTesla
38841cf99acbad325533235562fb6502b995a2a32e43315cf0c9ed3f6f394590
AgentTesla
4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31
AgentTesla
55cf18f4491e2db87c5612b2501dbbd3acd9c6460b1863ab56f5d9209cbecbdc
AgentTesla
7265ba924abcc035e8263873f5ed19842a0ad724b408fb816e7c1b64768b0cf0
AgentTesla
a17e38eb9cf906557d7e718135d95bb3d7683ddd40093c10b91414e0c84cbb1b
AgentTesla
a43a510468f0f694f75cee68d55c019f5de3f72b3627e3e3b8718d8afb2281bb
AgentTesla
db9bb4ecdc01a72d728f9fc7e522848ba7afe64bfa27516f0505a179db2f7345
AgentTesla
+ 605 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221119-gx614agc77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/01d0d2ea-72c5-47ac-8026-d8acee553497
Unpacked files
SH256 hash:
8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f
MD5 hash:
6f4ddd69f8ba210c0df75d9147be756a
SHA1 hash:
153a2cdab525f2cfe57f6dce6e1e85b61406f671
Link:
https://www.unpac.me/results/213b54f6-967a-4d97-b295-1295bf50542d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8755b249212e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2425747/
Cape
Cape
https://www.capesandbox.com/analysis/336023/

Comments


Avatar
zbet commented on 2022-11-19 06:11:40 UTC

url : hxxp://103.180.133.133/office365/vbc.exe