MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8991d98a4126be86f90a2c52597361fd376bbbf8a47c2036f77153a7f3436018. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8991d98a4126be86f90a2c52597361fd376bbbf8a47c2036f77153a7f3436018
SHA3-384 hash: c2cef63940f6c9fc47edd1483d9dd19a6a2d2e471649a1bdf4f4356eecba2ea1b1dbd0748321e00de65217be0ac929f1
SHA1 hash: 8cf70127f58305b0fc7b103e16b5415b55207ac6
MD5 hash: be64c3b380a261a6fdddcd9dddbcf5f0
humanhash: berlin-eight-speaker-robert
File name:IK8QsX6z2B1lPY0.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:852'992 bytes
First seen:2021-04-12 06:24:53 UTC
Last seen:2021-04-13 05:28:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:e6pOYqRKievnktb0c1AoOM9xdPJxaeZoY8DBkC4cvbS5L0kPK8:e6OXRKxUl1dxAeZKJ4cvfkS8
Threatray 20 similar samples on MalwareBazaar
TLSH DF0579432ED4DA8CF0D95A3E16FD10227FA7D8860A0E8FC7A9C7B3AD45D1906F521A17
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: agrometasia.net
Sending IP: 31.210.20.196
From: Aashini Sriharan <ashine@agrometasia.net>
Subject: KDLF PAYMENT SWIFT COPY
Attachment: PAYMENT SWIFT COPY.7z (contains "IK8QsX6z2B1lPY0.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IK8QsX6z2B1lPY0.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 06:56:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5bd6513e-78ae-4f6d-8962-e2de712570ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133652/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.95.10887.12510.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672553
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8991d98a4126be86f90a2c52597361fd376bbbf8a47c2036f77153a7f3436018/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 06:25:13 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgi5tcsbe27in6ikfrjfs43b7u3wxo7yur6canxxofj2p42dmama._file
Verdict:
unknown
Similar samples:
03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b
AgentTesla
34be61cbbae899e84afc83e9c84308d24a688bc2a38e9e496f357d75f0d2d27b
AgentTesla
59f5a74779f56d64fa82f2632a50ad92e7d66571a6f06ab56af33bccd86f500b
AgentTesla
5d7395d4e9aecd39c3b6944843d929dd3cb27bbf2e97674c4b28b56239d6a89b
AgentTesla
645df929847cf97a37605f18d5f36241bdd7b727d7bb0c6587a9accc7b1f7229
AgentTesla
81c36e1db76eb746e8f94d40e316261789295523791c3a393f6a8f937a15ac64
AgentTesla
8d29d2a55106b608c38d8d444956bcb75d2257095fd74812bad445585b26bac5
AgentTesla
996142a80f928b834ec900bdaa02ac9890f97783cc73c10231571fa3a26a3ba8
AgentTesla
d5e7d49983a219e75540be866377c4b283614a31e41f9e5223ab6ad18a1cfe61
AgentTesla
d735d78db9d0d7b0826237f6500bb5190f23e6fc01218ae6ce75993bcd634b07
AgentTesla
+ 10 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210412-zfaer74hbx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5e0f3da625a479a5e7e807b5f09c889d95474139410b312ba3a39bcb05976729
MD5 hash:
3d20c2ea9ac04e1707f853bb1780bc18
SHA1 hash:
805e90b023eb92d44bbe11daefce6edbe872cb74
Link:
https://www.unpac.me/results/af03a974-3eab-461b-8524-b9e5aa98a187/
SH256 hash:
8991d98a4126be86f90a2c52597361fd376bbbf8a47c2036f77153a7f3436018
MD5 hash:
be64c3b380a261a6fdddcd9dddbcf5f0
SHA1 hash:
8cf70127f58305b0fc7b103e16b5415b55207ac6
Link:
https://www.unpac.me/results/af03a974-3eab-461b-8524-b9e5aa98a187/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8991d98a4126be86f90a2c52597361fd376bbbf8a47c2036f77153a7f3436018

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 4aa68cfc6d8664e244f6df6929038f66fafa05e63a671b489db1df6ce7e51b1e

AgentTesla

Executable exe 8991d98a4126be86f90a2c52597361fd376bbbf8a47c2036f77153a7f3436018

(this sample)

  
Dropped by
MD5 de8049430bab285613198d9b735997f3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133652/
  
Dropped by
SHA256 4aa68cfc6d8664e244f6df6929038f66fafa05e63a671b489db1df6ce7e51b1e

Comments