MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5
SHA3-384 hash:	a97ccc0f7fc9927368464296e62f35d59b4b682a050e1411f21b02327bc0be835704e1f8cfa479ea41874e9806553982
SHA1 hash:	3d13557865e04d81d3f837a89bacc8455ae0d005
MD5 hash:	76efcece384fca2dbf2840aaf0521e29
humanhash:	river-ten-crazy-football
File name:	hesaphareketi-01.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	751'104 bytes
First seen:	2023-05-08 16:04:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:zmdF3JQcpDvnC237A+EcTvu2C6AFDPBwncjf60Ye1urt:KX3JvnC237AjcTWMkLBXf60Y+
Threatray	891 similar samples on MalwareBazaar
TLSH	T1F9F43647335846D2FC658FF0C8297AEA32E7BC9668E0D65C0D95F0F51BB1ABE1940E06
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	89f0c8ccd4d4e886 (6 x AgentTesla, 1 x RemcosRAT)
Reporter	threatcat_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

hesaphareketi-01.exe

Verdict:

Malicious activity

Analysis date:

2023-05-08 16:06:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/447668ca-3e2f-4008-81f0-2400d30099b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/387570/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/64591daf1c5e671712074924/reports/5a43111f-d5b8-470d-81f3-4ae94e299951/overview

Verdict:

Malicious

Labled as:

Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b049cfbd-cf11-4b64-a78e-b9eac9be62d3

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1228463

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-08 13:15:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ra4jewwbtj362kax5whffnvz3mbnlcmh3uihotvmk5xyhhpryx2q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

823a206dcc8e78823dd154d935da7c7ba7029b9b51adfa1caaaca282fc7df829

AgentTesla

886e952321e1eae1a50c426ea8bff0e574d28a33ce33d85613f8cebfc45c7845

AgentTesla

b050f56ceec41d0c409065b66cf598cbaf75a565afab1b47552624e085a3a9c4

AgentTesla

b153261c18823db96bfd055e398bac3f7c3853aaa006c2017dc17d13e49e23f1

AgentTesla

bb29bd98dc2e9ea502e1e473b659e56940e604cd87058071b08a95dc7eddf7ee

AgentTesla

cc9fd84fffa1811ef3177586d7c6aee88dc4dc5412fd658ee4bb36ff934eec01

AgentTesla

e41b0a6b4bcbd587687a7d0fb61fad61a4540df2b09bee9c19f2dccb1478e554

AgentTesla

ea138d2457b49cccaf16cef8ff2a7479ed5e5207081c5d7ced0a2a3049dcdc16

AgentTesla

fbadbfd07054097238ecc6ed27a1e69e4907cbf038b4cc2ef52bd2f07085d0a9

AgentTesla

+ 881 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230508-tjgv9sbe56/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

740e7b7c52b009a96ac47a0cebe652c6aa97803f0f2b73ace74aa4aa16d59cbd

MD5 hash:

d78a9d6094814337deec16d021405148

SHA1 hash:

ff2acaf75cbb3db9b7e1752e635a19ee19eceb16

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/7c9cecda-86f3-4f0d-b159-10cdc4b2c0a2/

Parent samples :

b1bf6e4993200202d88ce1ad2a2eaf60f8a1b5665b1873eee7f4220f9a31eb4c
fb012706e028ca770d05ae4580045de7450d40b069bc8f8a250e292746b45b90
8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5
c336b24aeca365ef88005a1bdf4daeee797b2ae2c0976b3db1fa4cd7c9290b87
8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357
3706066f775904b6ac4d07b179d3f7846c15c085ddeff5633c72a555d9529748
43b2d95b4ca603f5007a2d5a389b02d19df2103077146ba3aef9fbd82f2e0770
99fb5779f548068f16297af0c00a4d67ba8c32555a608d22b6b4f66dd420e5b7
fd7a04ef2040fb5bc9216fe5deebd9cf7d1190e7fbdc0e15a42a6c8b639de167
af4fbd837568e98c2a396d6f678b2ac9844653278c191af886c939844f9f2f3b
62d84fe295553d606c20def616280682b67dac3747ffe3ff4eb2337d2d01a4e8
2ac859e404e799bec8c46de362bc5af79bfb5ba455b9dd8832f4198f05692d7a
dcc8f01c079ede8b283839c41ab3eb1668d7a37183d3af2dce5d962ef0835e05
1a90138e87d6691efc22705cfd6b4003a434a5b55125b0c6663ef39206a501f1
9ffbaa54e1ce485cafb5c9eba276d6d18be8d95511838d3e65a4e08cdbdf0a4c
2f8c73b98c4878c743b2e0d5ec8e67ee1b6a0cf931d1ac69fa48a9600d869510
67aa6dd3cfc208be2bf9bc11b9e2ab4dd59f594653f4f073c8b96b5f5872c286
8086b51ee5ff64002102bf80e36b81650ba576903fc00965e1a947ae013aa9c0
05ec15a8743d17229f8749eefbd23092870a62b8befad9881b2d4dc63b0b194b
2eff68c23c7347d6a7614ae78fb7860aa81cebc0037d9c2a95fb795c2e2b3d6f
c533150826bd6cd5b29cc1ec1b552091e976f7ec10044796f947bc262023d9bf
3dcb0606b40e8a5d64da878ee28ae32fcb1c6072aa9a238057548f34c8cdc59b
80975a26a4f83ef73e1ea0280bb003b7f64daec835bf476077eda08c756a5671
b3fac580e11f2a319aa3a2122fa47f08dee0d8c8bb1967cc5b0a548493de7781
f94d390deeb6e7c8738fc693de22e0a49e4d57681759dde58102ebeea443463c
43e9db6b9ba0f48665e26a37880216e9b9135177bbb280b1b0143d2295b9a53d
0bf1609dcbb7c573bfce2b0333c56ff2db52dd54fe98a278e57a99b46dbfbe68
4a1731baffae0aeb7576bbe744f7c4bec60f3a8865fb6f9ed597f50f6c9e4c09
ec138fd03e6239e84fa8751411c8dfec0fb3ebff47e0deb9f7aad7e3b3cfd744
a4d917b6696ddef08d0f4ea5a2dcaa8de85e639684a5f869e353c2c80315e2d7
a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886
06b2ab16e068ff058fd7b142d331ca7b694c4a311320c6a6aaee7acdd38b2402
8b9f62091a55888570c94edca554a69a8b28909113b022021372e936e2c567d9
7cdadb18edcd84c6223b48a00dc074dfec26f8416b754acc87f1231ede8bc42c
ca779382008cbe0bc0ed6b46f21edcb095d7e3ff6cd56e192b5c7259a60a3729
e77034ca0f5612915367f7d97ba20d7452594622ce20078eee74df276173ef47
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
a3646df57e935938fdf32f977fe40f1cff32a25ecfb8d086c08cedff9f7d7f1d
b750afd55ac6a1bb83126243c9fee3c8fb3ea328f3ef7dbed27d25572e374eb5
b5e595f70f317fc0c3916b7f0294681db744ec05ab7013cfb770c1f656018c8e
912e8de60b256356d9d56d77bd1441e5b7692af26fb320e7645bf5edde861baf
c1c41ec1f495a0b825d766f3cbff298777033bb1447d7ccbec6a03bbe0bd54ca
62804130bd52854d369a3586de018287087aa07d7b5d5e3e851122be331b1200
1b6b62b3f96553b8800f1c2c38ef1dde521a149715534f1fa19d02a9df8722bf
dd48767cfb22ef37bba35b4e630122994f00f156e2bdc63d59bbae9a8c36d6f1
fa89df8e9ce2ef14867f975a2fa4f9e3153f02ddbe261c33922826683482b3be
f6ef6dd1439771a20f55663c0b199a57f16da75e9249731916db75aca2265d50
e81901a970e6242560a0a44bc37bfa54a19174920f1f1ea032aeecc2008f2884
6b64730d26c6e0c4ec3db4e89ac886fbaf8cd4decf695c44201a8dc45b3d9f5a
94a5965ad18abb09e0e0e2ea434c021c0c4dbc20df6381196ac41b4ef356fe8a
b7ae1c2109159bbab425688f0735a3fc8c9d623c78ef409f3bebace05bb1ecab
c443575783b8c82cbbcf60290fe58b8093bb2be9e71dfe3abca851efc08519cf
8c36d1b83a2d060b222898c7b06c04b2b316db233dd58e6551bba8096520592d
348adfb8653e9a39c662e8bb76909d27fd2b79430826658ae8166140006391f3
40a3aac33840e3fa650b9a42daa9ecabaf27f36dbc94b41ce1620817ff188b67
d81ba294e8f5bd20984715efb925abe3df619def7254f554afd09242bea903e6
73efb6c1b43b24a695e351ae599855ecc01e30a90c4999c6f6c93bcfb8329291
000518a2ac056e4e5907aa1eab5b5c4e61b728583a4f77322a6c85190993f4df
c719c3f4ed747b4f467656f57a3eebcfbdaf116e86e78581038607e5830bbd15
80ce21fcc805697cd3d617fb8599d9e20a300a7e1428c0b160db85f166db5be3

SH256 hash:

39ef53352bd5cbaa7c03dfc2a7d3f3c85fdccac003588968b6fd5fa036a8d972

MD5 hash:

863f84184c48096508b1da14e1bab2c0

SHA1 hash:

334ff8923f526d574a1b54843b2ff7eee74c4f3a

Link:

https://www.unpac.me/results/7c9cecda-86f3-4f0d-b159-10cdc4b2c0a2/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/7c9cecda-86f3-4f0d-b159-10cdc4b2c0a2/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3

MD5 hash:

48f25f70764858909ab7fa96721f9d01

SHA1 hash:

1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd

Link:

https://www.unpac.me/results/7c9cecda-86f3-4f0d-b159-10cdc4b2c0a2/

SH256 hash:

c8be03230ee72c4c26b2a4e32feed129322892f3cad1ecf16b048c08bd308177

MD5 hash:

368c1a42fbc21f7073540dfb14798766

SHA1 hash:

165f2c62b032b76991ae274a3dc73eaef4880630

Link:

https://www.unpac.me/results/7c9cecda-86f3-4f0d-b159-10cdc4b2c0a2/

SH256 hash:

8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5

MD5 hash:

76efcece384fca2dbf2840aaf0521e29

SHA1 hash:

3d13557865e04d81d3f837a89bacc8455ae0d005

Link:

https://www.unpac.me/results/7c9cecda-86f3-4f0d-b159-10cdc4b2c0a2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/387570/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample