MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c
SHA3-384 hash: 2cc629744510d36f9a4a7ec8c37a3fb52b1f30fa8f9a453ddd3df8d7e565b57b7511ff0a69219644b946377feb3e5ced
SHA1 hash: 3a8a030b56848af1f0b5bcc16ad3c3db4a87be16
MD5 hash: 9f5c1c72a8f48ac8cee9d2c50357824b
humanhash: hot-carpet-sink-fifteen
File name:84022000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:703'488 bytes
First seen:2023-05-29 12:34:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:IsIdum2iNfmFx2iqNhujGjUTGRd2mbdZadNqi9VRTsSqrZ3xjabyPK:IsIdum1lmFxUpTrXadNqir5s5xjIyP
Threatray 4'353 similar samples on MalwareBazaar
TLSH T147E4021853FC069AE2B367B652A04634577BFE9E7671E34F4E8376C96A22F004A10773
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
84022000.exe
Verdict:
Malicious activity
Analysis date:
2023-05-29 12:43:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b77ab8a8-b6be-4fe7-923c-c672470ae95f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393068/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/64749bf66a4e8b5b994bf6a3/reports/be71f581-1b9b-485d-b5ce-504fafc5a132/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b68bfe2b-6b35-481e-b632-ee8a9dedd42d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244443
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 10:12:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbtpnrmjoqnwld75bbfkm3ro6szu7bfuai4opvqoflgfsyopeb6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
109ef5c322e2f5b9624f14914d4e4db3cd2ee7883f9c718c913616eb69277091
AgentTesla
271d3e8dfec86cdeb02be2c1d29e4717dae69d8edfb088bdf67b3da85fbacf30
AgentTesla
3d19690074df0c98a4088e0ca1f69969af9a65b7b260b7b71ac77a9bb89df6e6
AgentTesla
ab8a0181d0835a210e35819cd3e2220e5d683e67eb5678d574ae8f168bba965e
AgentTesla
ce4538d962580d2b52a8cb68aefb500eaee8f07dd01c1fae3b50b4a40585131a
AgentTesla
+ 4'343 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230529-psbcmabg86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/e3626e3c-7525-4a2a-8cdb-5d2ea1c67ae1/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
c03dd9d6ce9237eae5ad8e48b90afdc10e7c37ffe8d813178701d15e452685f6
MD5 hash:
b73fe624596944f63ec5a41f27f68846
SHA1 hash:
6eeaf56ee77f85a8ceb20f8141b4de686398bc84
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e3626e3c-7525-4a2a-8cdb-5d2ea1c67ae1/
Parent samples :
8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c
114bb32789591863f1e52368028e2a59589b96117e2b6596d75f046ccc7863e0
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/e3626e3c-7525-4a2a-8cdb-5d2ea1c67ae1/
SH256 hash:
2c53e3db37d2f1105f9f45c1f69ef27e66e948873c09e06a90f6011ea17532e3
MD5 hash:
48911b1529a061726921d43afad2c229
SHA1 hash:
2af61bbdb4aafdb73b40ddadb3b553af0831dbea
Link:
https://www.unpac.me/results/e3626e3c-7525-4a2a-8cdb-5d2ea1c67ae1/
SH256 hash:
87f028466afa063694b9b03ae2d2fae5112f7c88738db0118a0a7e1231b3972a
MD5 hash:
b88b6ff674f150e817e7422a80e97fad
SHA1 hash:
23cb984a7265763140512adb268948d61c96becc
Link:
https://www.unpac.me/results/e3626e3c-7525-4a2a-8cdb-5d2ea1c67ae1/
SH256 hash:
8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c
MD5 hash:
9f5c1c72a8f48ac8cee9d2c50357824b
SHA1 hash:
3a8a030b56848af1f0b5bcc16ad3c3db4a87be16
Link:
https://www.unpac.me/results/e3626e3c-7525-4a2a-8cdb-5d2ea1c67ae1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8866f6c58974/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/8866f6c589741b658ffd084aa66e2ef4b34f84b40238e7d60e2acc5961cf207c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393068/

Comments