MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8968c1980f7834c998c96fd5814dd9b828c45917a8aba511078770bf619be082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8968c1980f7834c998c96fd5814dd9b828c45917a8aba511078770bf619be082
SHA3-384 hash: 22fb9420efea4e276945cd3306863bb62bec2825f4387362d1996696bce9ad5ad4e62286955251024a9dddc8225ec38d
SHA1 hash: 4dba0326013655ab97347d599f311f19d27ebaba
MD5 hash: b7ad17e786f060271d1682d91edaa1e0
humanhash: delta-fish-beryllium-sweet
File name:15934,00-USD-SWIFT MESAJI.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:271'122 bytes
First seen:2021-06-25 12:38:25 UTC
Last seen:2021-06-25 13:46:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 6144:sTqjF9v0kr2jvi9lyy9TNbQ91qSdsDw2NCsVlwK0D/qsntfy9d9KAA0bBJs:ssvS698y/8915dsDw2NCsVr0DqSEdwIs
Threatray 6'138 similar samples on MalwareBazaar
TLSH 7B44120213E34EB7E7BF9A31557354B4F132956A6209C60B4FB10D7A2B2D4960B2B3F5
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15934,00-USD-SWIFT MESAJI.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 12:42:49 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/5e0f01fd-2ce3-484b-9af0-91936418e049

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168318/
Detection(s):
SecuriteInfo.com.Trojan.Loader.849.32576.30047.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1da0d788-fde8-447c-bed2-e73d9f16fc32
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/808113
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8968c1980f7834c998c96fd5814dd9b828c45917a8aba511078770bf619be082/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 12:39:15 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfumdgappa2mtggjn7kyctozxaumiwixvcv2keihq5yl6ym34cba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22637e06185c1729dc491bf0d47763f8e549ae5a16223b04579240a0bbfa9f1f
AgentTesla
2d90d1eb72b8258b6eafa378348d531aa523e195aa33dba3365000bba8f6eeac
AgentTesla
31e702dd0fc8ae15e8ca4991263c135709a1d64cda293a4896f89ed3b3699b77
AgentTesla
550f5c6965c2a453da34e269695ae9e3e7776414b0c4cc6741d645af38abe280
AgentTesla
6be400fa61cb3ea26f971bee2b41dc11761d247835f5bff2a017a78f2a6aa010
AgentTesla
7442f0a65b8a25f44b65fe4e3db9eee4a95ea2027068b4fca8760d7a6a311a98
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
a94a6a5c3f1e54f64f9fe3b1c38989017ff1f0424d454a95d5eff09ad129ae8b
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
e790bdbae45848c16c2575b6d97f3b70ec40cfed889f2725dfa2f228bd81c359
AgentTesla
+ 6'128 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210625-c86rdmhnxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/ca21b17c-d066-496f-9995-ad08516cc9cf/
SH256 hash:
d9c16604e5d404982df836d84ec3c5c2b53e5406a2b8c6cd6f117531e7222add
MD5 hash:
24ab113ece2102c7c1e5671f0690020c
SHA1 hash:
85b24cafd469cc7856019f70cfa4e58ffffcfab5
Link:
https://www.unpac.me/results/ca21b17c-d066-496f-9995-ad08516cc9cf/
SH256 hash:
8968c1980f7834c998c96fd5814dd9b828c45917a8aba511078770bf619be082
MD5 hash:
b7ad17e786f060271d1682d91edaa1e0
SHA1 hash:
4dba0326013655ab97347d599f311f19d27ebaba
Link:
https://www.unpac.me/results/ca21b17c-d066-496f-9995-ad08516cc9cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/8968c1980f7834c998c96fd5814dd9b828c45917a8aba511078770bf619be082

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8968c1980f7834c998c96fd5814dd9b828c45917a8aba511078770bf619be082

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/168318/

Comments