MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7
SHA3-384 hash: a4cd08ffbfb9d379584d11a7cb8e39d77938bf17d6860e344dad9fd14ba906df46d9d881b735d12c9f3bfe2597d1dea8
SHA1 hash: 4bdcf9570cb252ee93e8da3888a70d7825e65a1b
MD5 hash: 1a2cfd318c11427f0ce1b0cfac83480f
humanhash: carbon-colorado-bluebird-nevada
File name:file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:474'640 bytes
First seen:2023-06-29 06:54:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:uIFAplx5LmAFNaxAqm/OMqgcG2IWIvvwZUN9XPc8l51VGWAxX3dkcWCiFoG5:OtfNaxAqm/OMqgcG2IWIvvwZUvPc8vec
Threatray 10 similar samples on MalwareBazaar
TLSH T164A4F13C57A9FED0E29CD138B0BAAB6C57B1D079A14BA7E62BA505F11EC638503144CF
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-06-29 06:56:13 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/92b8e672-2dc0-42b9-a900-e0091bcf65ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403675/
Detection(s):
Win.Packed.Formbook-9980347-1
Create hunting rule

Win.Packed.Cerbu-9993871-0
Create hunting rule

Win.Dropper.Formbook-9993903-0
Create hunting rule

Win.Packed.Generic-6680913-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmstp koivm lolbin overlay packed packed
Link:
https://www.filescan.io/uploads/649d2ac778b782264fa10058/reports/5571e1d2-758b-482f-b8c9-7c3328a5127a/overview
Verdict:
Malicious
Labled as:
Trojan.E1CAE469
Link:
https://www.hybrid-analysis.com/sample/877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6494fb1b-812b-4f07-85ea-10db0a16e131
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1263065
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7/
Threat name:
ByteCode-MSIL.Trojan.Dotrunpex
Create hunting rule
Status:
Malicious
First seen:
2023-06-29 06:55:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q564zea3uwv2zlbztkhthtfp7izb5nbqni5bb4lpvgrndazxjtlq._file
Verdict:
malicious
Similar samples:
1201be819db6d09ce9bd23656c5bbd7430e0420f30c39afe37b3a4662581f143
AgentTesla
4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9
AgentTesla
65831b6a853bb664e7f189003da9cdda832e5bcf647c1e262b3bc80acb715814
AgentTesla
66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216
AgentTesla
838ce5b36c1e435c66278140a5ba8c1468f5e844f8cd8dd4aa330c5640b56053
AgentTesla
9b41329934970c166c34f86d83d5812c15c36c0b433150597598d78469a48514
AgentTesla
9cd9994b0c9c1e3c8e2cc7892d3d411061d006fd01a1f62c364076f4466deb0e
AgentTesla
a566a538d325ee3da4c86712b3cf4b305d35b2612e2112cfa8f76b511e036e06
AgentTesla
ab8674f0baf9cc51bdb639626664be6917a3682aa7ea25b7c233b673800513b0
AgentTesla
c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230629-hpsdeadb2z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Uses the VBS compiler for execution
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6186587654:AAGCfYz_-Ywr0jS403I82r-XCvl_CsLT1L0/
Unpacked files
SH256 hash:
877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7
MD5 hash:
1a2cfd318c11427f0ce1b0cfac83480f
SHA1 hash:
4bdcf9570cb252ee93e8da3888a70d7825e65a1b
Link:
https://www.unpac.me/results/1331af31-a200-4193-bc52-08de9102aaa3/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/877dcc901ba5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/403675/

Comments