MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29
SHA3-384 hash: 0e8a716e383f201c476a88f3517a81fb0b49366138e415228e75b0ac504c158b0ef1fe11ca42ecd72331497e2af2bf42
SHA1 hash: 8ed63b6661b1e4f58172931805950ad20f793a92
MD5 hash: 10e3800bead1c577da82e808d8c50a59
humanhash: harry-spring-papa-two
File name:10e3800bead1c577da82e808d8c50a59
Download: download sample
Signature AgentTesla
Create hunting rule
File size:878'080 bytes
First seen:2022-02-16 08:52:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QrmpSeJkdeSCrlfICclWXe6Z90BWPMAfe59XAKi+co8EkJabLCnP6QKFAX:QypSeKdWAkeg90ozqdp8Enii3W
Threatray 14'688 similar samples on MalwareBazaar
TLSH T16C150204BBA7E585C1390FB7A8A2C17396B4DA6CB723EB776CD4339C05463E905B4638
File icon (PE):PE icon
dhash icon 00b271f0f079f2c0 (15 x AgentTesla, 8 x Loki, 4 x Formbook)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241855/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys obfuscated packed
Link:
https://www.filescan.io/uploads/620cbb71a2660f3bb9e3f46a/reports/cea7ff9b-4635-4f96-b6e5-b3e5ff9630bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/946966cd-afcb-4e04-aef9-80cc8d7868be
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940673
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 06:59:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18b6fc7cee9c61a647521a65fbe470eb18242e64f831f57471685d8227c8e386
AgentTesla
52182c825d2d98b788cd4a1fe17e0c695b42ad09be21560a7321fe84f59b51de
AgentTesla
67b9e43619deb0b1a6825a1a3282cf57f2312f49b7a3d24a54c57160f1885d13
AgentTesla
772e0ad45b7f5a01a09310758a4ef9a0a370e6a453cd26d5d95ee257a545ad05
AgentTesla
8a76b1eecef91f85cf233602d3c81c12da167bb4d2648abf8e738953c558803b
AgentTesla
8eab4eb2c9edaccf55d9d5f64f210638a7826c262b44772c5b6e37a77d1e61a6
AgentTesla
cc6e5ef0559518d7068995553f542926abb9bfd75a67ca892cb6bef5e1b8b25f
AgentTesla
e7cac2b948b2ebb032b15b025747eaf10cbec21d5adb365d878e100013e0cf1d
AgentTesla
fd431d8347b3a17ef5345f02624aa67b94967fdc79906c4351883dd2c1aee910
AgentTesla
+ 14'678 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220216-kta12acgcq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5254401235:AAFEKINIQJAsxUrIL0cEELowrjVcR9uLgaM/sendDocument
Unpacked files
SH256 hash:
d11bb704d35a50be44c62917cbb698719d51cda78203978eacc8e324850cfcf7
MD5 hash:
972570e68122f16002ce6d872d36baf7
SHA1 hash:
49d204b50f62cbaa7cbffec0d0b540ca63b98440
Link:
https://www.unpac.me/results/c60751ab-12a8-4866-8f60-06338046b974/
SH256 hash:
7091a06e8d8c8068a9baa2e52b13a26dadca3e9c8f57870148d188f70d17be6a
MD5 hash:
506ad56a770a7a1aac6f6dfd63949a65
SHA1 hash:
bdb606b2c5482687f5eb055c2f9f767437ecd3a8
Link:
https://www.unpac.me/results/c60751ab-12a8-4866-8f60-06338046b974/
SH256 hash:
e20fa0995f1ee3b8a8d6e2938fe9c05abfd62837510b7bb436dccd707e0de7e6
MD5 hash:
08f1bbf9efff09ad706b515e31bf9593
SHA1 hash:
e1b7ef0a3a27896c80988f6d5c37000a579ab1fa
Link:
https://www.unpac.me/results/c60751ab-12a8-4866-8f60-06338046b974/
SH256 hash:
63b6403c6ea1378c0ff49f069597b45496dba6c0161d240e64885ab6f0806d04
MD5 hash:
72b143fd989c37772556bf302ac33be1
SHA1 hash:
ee377db4778e70261d34f8210208069df41a12ef
Link:
https://www.unpac.me/results/c60751ab-12a8-4866-8f60-06338046b974/
SH256 hash:
8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29
MD5 hash:
10e3800bead1c577da82e808d8c50a59
SHA1 hash:
8ed63b6661b1e4f58172931805950ad20f793a92
Link:
https://www.unpac.me/results/c60751ab-12a8-4866-8f60-06338046b974/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2045076/
Cape
Cape
https://www.capesandbox.com/analysis/241855/

Comments


Avatar
zbet commented on 2022-02-16 08:53:01 UTC

url : hxxps://arturkarolczakshiola.com/zasa/fYiA22eXpUTT7uP.exe