MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a
SHA3-384 hash:	d9658bc73577b782a413e70a8e12a1fb0abe53506490a85f57660775d455effa094c9fff81d84651827fd5adfdb0ce73
SHA1 hash:	5d904360060887f174391345c1d57a0d71cf045c
MD5 hash:	d2375d0c964503cb0885511a17bb23c3
humanhash:	minnesota-mobile-social-kansas
File name:	Payment Swift-20230817.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	862'208 bytes
First seen:	2023-08-17 20:30:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:U+mMxm/gPrklFVzmbupQIZzP02997k192UAZVyYpfx:Ud1wrk1Y4ZzP/je9yvXp
Threatray	891 similar samples on MalwareBazaar
TLSH	T1D9055613331887E2FC249FF1D81913FA32E7BC86A465D94E8E80F1FA5631ABE0955D46
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	d18cb2b2aaaad429 (1 x AgentTesla)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

340

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Payment Swift-20230817.exe

Verdict:

Malicious activity

Analysis date:

2023-08-17 20:33:52 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/84ffdc0c-b38a-4452-b350-6c9010c1bd78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/443386/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64de8386a29d57e203852f18/reports/02f1d282-e754-4322-82f3-27d6d71a1d86/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/98c3e1e5-27bf-47bf-8727-cee83572bd0b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1293127

Signature

.NET source code contains potential unpacker

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-08-17 15:01:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q5zojvgykrukudry6cbgdjgczthcrzwzwufiwim7phzcr5zwzbna._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2eaf94da95c7c5bfeee85e0c9b2eeb4203bc708e8538061624082b61866bc3b5

AgentTesla

47a9c72472135cb2c500073339e15d6ccfd905bc1c51bdb0c4bb7779425a384a

AgentTesla

8a6016c2c0c6f0f93777ef146ea61c8b871acc8bb7f726d05c6ae48a100b745f

AgentTesla

962f81698653baa1d8bf2ca70ecd37aeeb8c7cb0f21b7c4c00ab9cf7d2206c9b

AgentTesla

ca26076fb095e2acdc06f27e242238ab5f3c8b79496b2a82c1729175dd928c82

AgentTesla

df7d91d4002f96a8852431095308e5271f900a30125ec3d1d55beb80c6995d1f

AgentTesla

dfba6d9c101eb1273aaf962047fd958424bfac70a1162c2a910640981a23d054

AgentTesla

eac955e21979be52d265a31b6d4d7434089ec180b116f5fd70792978ddb87d01

AgentTesla

f3b6d3950ed18dabb36fae0e0b75cf010a7833f058f6d5f2573eb17a038f3141

AgentTesla

+ 881 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware stealer

Link:

https://tria.ge/reports/230817-zan6wadb55/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

9fbdb82eb989d21aae21624f597e9adecd35ade46d1c5b1ac13f66fd5dc52961

MD5 hash:

ad9c6e3b0d7f15e174d2b7d3d06aedb5

SHA1 hash:

f0265d9343d734e4f406f60aba9871c5c8ed1a4f

Link:

https://www.unpac.me/results/4465a49f-762d-4913-bc8f-6889c8afa8e1/

SH256 hash:

bb80534b2020ff8b190121d259f6f0f517b945ef8e29b89554c61956c48efac3

MD5 hash:

4ce3fd8661138b0deadc1f3d5b8ca09b

SHA1 hash:

e66191df65480edf57b0c05a013c54502d472ff3

Detections:

AgentTesla

Link:

https://www.unpac.me/results/4465a49f-762d-4913-bc8f-6889c8afa8e1/

Parent samples :

eac955e21979be52d265a31b6d4d7434089ec180b116f5fd70792978ddb87d01
916c26e1e43c03fb2faff6fe47a65492f0966ea0b5ae7ba4fd864af05f1e6ee8
dfba6d9c101eb1273aaf962047fd958424bfac70a1162c2a910640981a23d054
c9371309802b12f374c0a8f8e28b1fe40bd72929342338b7fc769f1a845f79a3
f4b4e8c5922902a99c7fad1329d23fe90295b08b165200189273f391323dc47c
3ec460aeca63f43b1c270d4c2c6d517086e8a302863bac43d7389d519c95f37e
e4b091b6eb1421a4bb8ef19af620e52d101806a44351c5191919198306d6b826
8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a
5a6c429f017b403c4bc91330056da43f35387f4a5ed19fed2be140ee29c32989
26eec7bea99973fa7a59366d0603196099cec54b0e20f89876fd1dcbc6ea1e94
234aff0ca0de7675a5bcd4b0925d85bcb9c6df06948159893fdb990274a5164c
d31d25db8f90f851d56eda5ac2e95f0b030c0d42ea908386f52e95ff313bdfc4
7feb4037f4f3a98c88af6a20855d9be48c8f127f5aca54beea08149d78bb4dc1
25fd8be2e2dcbbf3707e4aba7be70e8d962beb4a47c9c4a1763b09086fcb1258
15ba4f63fe43c578c10edea51d3a521efb953302d78621b92ca65e699b921dad
ccfb9a331960621fa51b170c722fa4f6bb7e1cc04db987298af3887fe08bd64f
760831724396437abbc9df355eff72482e467f43cdd76d426283c86820165e32
a42fc25e5c4b617629fe6867cb6625b17f18625b6a2102343dd51219bcd99760
742db9471549b91bca93f28cb8b9ba804a4fa03346223b57384b62b9a386b124
bd0b7ee993da6e96723b57cef78778f681b3682e00aa44c8916c91fbf7b9d058
571b509e7c87384fe9a4933b24cf0d7d8e2c2faa70e39613ba3561259a573df1
9972272899a7a165546fd3c97f1df1c068c658154b947dd234db1a1204d0a484
3a099cd463190175916c58f9f590da65059c3207f6e5e8d5ee7e4615fdecd4d6
17a9e377f1a8abdba24292372a1a4630383438b315b791988ebca48e8f634abc
c70653b62d36bc066f5b9253d3a9f519eca5ff2d58fd39affa1d0e2468186980
44f1236de9be7944b5ee2b19a9b7cda3df8ca686954a464abd509916d54671b1
bb80534b2020ff8b190121d259f6f0f517b945ef8e29b89554c61956c48efac3
05b6b6be781094f149665aaf2991c91fd29485545356771d1515afa6b0da105a
c0e472a9146a7975b5908ee8974d49f83426627cb074189268959a432cb61ea7
6e3f981e67d34ae5926687f3cd70f6533dbe42a041a946dd4c0ad51a239b87ee
f5970e4e030d40597a3f67287136f2044c51354e333008c8455c668622ddbfd1
eded555a7a575a6335ccc1c59ac51b58eb00ba3f43a0d5ed66f2af28f4d3bcf6
42d4821835c8d06dec695b9d34f4418097281376fdcb37d85193e89b89ab0dd2
b97373a2cf56a7e34552242194ca53f1afdc4283eadc6b028353d7a546d7fc11
3a835ba5ec5b577df4066e1635d0fd150f189992464836df6400ed6a416cdfd4
7e1956202b29fa1f4b2069bfca66729c92f55a8597f2915713f525d10daee463

SH256 hash:

2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f

MD5 hash:

1081db0b25581c7958e6fbff4d9aa64a

SHA1 hash:

bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9

Link:

https://www.unpac.me/results/4465a49f-762d-4913-bc8f-6889c8afa8e1/

SH256 hash:

aa3670a577d4c6a9de6032190f2e147ca39d1a7b7cdaeba6b29205da945ba9f5

MD5 hash:

b2ba69c87d0423b3ea3e23e0784e8dbd

SHA1 hash:

0131a3bdd22a942b42310e1f9bfcba786d077959

Link:

https://www.unpac.me/results/4465a49f-762d-4913-bc8f-6889c8afa8e1/

SH256 hash:

8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a

MD5 hash:

d2375d0c964503cb0885511a17bb23c3

SHA1 hash:

5d904360060887f174391345c1d57a0d71cf045c

Link:

https://www.unpac.me/results/4465a49f-762d-4913-bc8f-6889c8afa8e1/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8772e4d4d854/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8772e4d4d85468aa0e38f08261a4c2ccce28e6d9b50a8b219f79f228f736c85a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/443386/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample