MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 17 File information Comments

SHA256 hash:	8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0
SHA3-384 hash:	03f83026b7f4c86aa0ac1d4e45edaca8bdee0e41576069693c65509c1d799751f5560807cf061f6f37ccb5b1f81baa7a
SHA1 hash:	538ea79a057fb8c0bd4f02c697fbefcffef87947
MD5 hash:	913aa7a8d382f9195e8057f5592e47a9
humanhash:	march-idaho-green-spaghetti
File name:	Nghgisxtb.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	416'768 bytes
First seen:	2023-12-05 14:14:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:vTz+p0qIUakJE3iQ6ZeJfTSK7An9/dhiWSI:vTz+p0qIUakJKixZeZ8/dlS
Threatray	3'853 similar samples on MalwareBazaar
TLSH	T16594E1296B9A8917C43D6B7BB4F3A7841BB4C5A6F40BFB9F199818EC1C537502E021CD
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Nghgisxtb.exe

Verdict:

Malicious activity

Analysis date:

2023-12-05 14:17:59 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/3b6aa7c1-fd03-44db-abb1-c3b093b4d6ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462630/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Win.Trojan.Generic-10014419-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/656f30698b5ba47db2d2ae6c/reports/d24ad6b4-0699-4de0-9c40-25c8d9664eaf/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/17b7e230-653c-4d92-ba00-8c48582b037c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1353971

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-12-05 07:13:32 UTC

AV detection:

18 of 22 (81.82%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rb43757snm4jxdjxleupyyevuoch7bqc4aecfy7s6z3qlywyltaa._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

0f6154350e73fcd971f98f7bf3fd43773edd1cca24c16d259a4c755958970332

AgentTesla

1eda1b310543e616e8b7b97e8e5f13597fb3a67ed9658b3daba2f49361563689

AgentTesla

4e38578b5c0bfa9b222837756d0c2387d218aaa990b47befb98571cec82f6b32

AgentTesla

8a0caf3a314acdd946e058b936136c755e7701c1384b1f632075c0bc8d958bcf

AgentTesla

915b5b0d16f54f50af35902863670a73a5ce5dfeabc25cfe3bfa23cc637651fa

AgentTesla

c1cb5a4a27cf88c43845d65d73c7ca0706b00f8c999301061b745ce922c1bd12

AgentTesla

e278ecca391be13103b9584a01fd2bbd4fabdfef4756e3870e48140a304894e2

AgentTesla

f8aa3880202328a119071117878db0c3b5dc03a5cae3cb16e00cd2353598a913

AgentTesla

+ 3'843 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/231205-rkjp5sbh23/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

45b90fc6179bc979b8f604604cc1ce1502f7f69eec081ddd21b8f4fb0ce0eae7

MD5 hash:

9a25127accaa3d6b38191a7cf2bea0e2

SHA1 hash:

e2f5a3151cb4a26abd028b0ffc49673db134ad9d

Link:

https://www.unpac.me/results/0e8a8b9c-10b6-429c-9d73-2810f348b70e/

SH256 hash:

c2f1d5df49abda473ed5e6b7a406370ebb1f264f867e849b45a494a5926e199f

MD5 hash:

df7ea5d58d06eb0626e10e375e7badc7

SHA1 hash:

86dc35d6094a4898dc58da5a4ee89cf7787010a9

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/0e8a8b9c-10b6-429c-9d73-2810f348b70e/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/0e8a8b9c-10b6-429c-9d73-2810f348b70e/

SH256 hash:

3220f2e18f454bac107afcb18a9027bd6e57a7692d9972af500b3e0c33e6e209

MD5 hash:

6e53137dc24986ba8732ae0eca0aba01

SHA1 hash:

11812f140c1b62d822490865fc91f19070e9cbd5

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/0e8a8b9c-10b6-429c-9d73-2810f348b70e/

Parent samples :

1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3
6d7ca76f65a253a1587d1f5a94d7ff27d0babf11b830fd778efb96ebd8196442
8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0
80a2010e0a0ade699a0c4bc3d5f739491d4ea6ccf4abe39b8232ef39dc7aa430
90c7b6bd3fd954125e071fca9a96c398d2c7c337e150b79c3629285858dd476c

SH256 hash:

8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0

MD5 hash:

913aa7a8d382f9195e8057f5592e47a9

SHA1 hash:

538ea79a057fb8c0bd4f02c697fbefcffef87947

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/0e8a8b9c-10b6-429c-9d73-2810f348b70e/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8879bff7f26b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Reverse_DOS_header Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects an reversed DOS header

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/462630/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample