MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b
SHA3-384 hash: 26d570b662d6c961de13a9fbf23c0bd2682fa95ff91001c54099b758031400a15e5583fa66395929ebed0ee5e4a6f4fc
SHA1 hash: 1eb8efaee48df0be7adf0acecd2ec151751041bd
MD5 hash: aaf3d3ad14b000703beaf2da3bf0d168
humanhash: twelve-montana-two-pasta
File name:RFQ101722-WOLF MACHINE INC.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'183'744 bytes
First seen:2022-10-18 11:13:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussONP1NhJk:AN/hPd6ZFdj
Threatray 20'171 similar samples on MalwareBazaar
TLSH T13E4527BA22C0229FD426B1758193EDB362F76D225116D1C750D31FAFBC482BBDA12397
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321350/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634e8a7bb5f60e72b8c742ef/reports/fadc8895-26f2-44ae-886b-2299dbd30641/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a387dcde-c411-4717-9972-5d5ed27a5756
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092726
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725349 Sample: RFQ101722-WOLF MACHINE INC.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->55 57 12 other signatures 2->57 7 mAmEaHUab.exe 5 2->7         started        10 RFQ101722-WOLF MACHINE INC.exe 7 2->10         started        process3 file4 59 Multi AV Scanner detection for dropped file 7->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 May check the online IP address of the machine 7->63 69 2 other signatures 7->69 13 mAmEaHUab.exe 7->13         started        17 schtasks.exe 1 7->17         started        19 mAmEaHUab.exe 7->19         started        33 C:\Users\user\AppData\Roaming\mAmEaHUab.exe, PE32 10->33 dropped 35 C:\Users\...\mAmEaHUab.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmp26B2.tmp, XML 10->37 dropped 39 C:\...\RFQ101722-WOLF MACHINE INC.exe.log, ASCII 10->39 dropped 65 Adds a directory exclusion to Windows Defender 10->65 67 Injects a PE file into a foreign processes 10->67 21 RFQ101722-WOLF MACHINE INC.exe 15 3 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 41 54.91.59.199, 443, 49707 AMAZON-AESUS United States 13->41 43 api.ipify.org 13->43 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->71 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Tries to harvest and steal ftp login credentials 13->75 77 Tries to harvest and steal browser information (history, passwords, etc) 13->77 27 conhost.exe 17->27         started        45 ftp.code-jet.com 162.144.23.32, 21, 36922, 41395 UNIFIEDLAYER-AS-1US United States 21->45 47 api.ipify.org.herokudns.com 3.232.242.170, 443, 49704 AMAZON-AESUS United States 21->47 49 api.ipify.org 21->49 79 Installs a global keyboard hook 21->79 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 11:00:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=riajvhmepq62v7gfce44jmyv4f5fhpv7fblvv2ir5kpisp22h4nq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
60500347dcd01ce976f1edc949b4f5e1f7f52f4c553c34bfda79e16bfadd4a6e
AgentTesla
8ccea9d264f5584180de3b726b676590bfec351367d48a03decb1ee37f9f3965
AgentTesla
8d0e75998dfcadec6f3270336a1a4044d879629db57a0e4d42f9f3d6f0899d96
AgentTesla
9f94bfaf7433e3b0142b5a57965199ec01c4e69b1c5598642d165138ebf742f3
AgentTesla
eb94b3a9d0c4cd649911af985e6d82a66c36c1436723eccd3dc7b8fc66dfe8bb
AgentTesla
ff3c396049c100121be3f3140824dea82b62bbb17e63fe6586650ba56cc75298
AgentTesla
+ 20'161 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221018-ndpq2afggk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/09d777dc-0b7a-4f5d-a2e5-2fa47f0e67f1
Unpacked files
SH256 hash:
1dec7a0a9439e8e14d1e188a19b8b7dd1de80b895eab2429d5a3582ed6ab2c82
MD5 hash:
dcdf37b75fcf995bfe0f7e04a2d591be
SHA1 hash:
c47d72afc82697c77fc0d320eab5dba0b565a7ec
Link:
https://www.unpac.me/results/9658ba0f-be26-42e0-aa65-662a4f885043/
SH256 hash:
acc307df31535b7bfcc8039b4bf26ae71567fab6f78c8fcefab496d3f8302fe2
MD5 hash:
5c52fdce79c6038ffaa2d97ec0b4fdbc
SHA1 hash:
b6c5580a9ac77fdbb38d700036b3a6f559f5605b
Link:
https://www.unpac.me/results/9658ba0f-be26-42e0-aa65-662a4f885043/
SH256 hash:
54a995bec91b04066879e5fa1362d6763ddcae36a8612ed0e4d770deb9906e69
MD5 hash:
4e5c09b99d88882da02de8117c46b50d
SHA1 hash:
16f73b7ae31d3bf235ef50f27eac3de30d650e44
Link:
https://www.unpac.me/results/9658ba0f-be26-42e0-aa65-662a4f885043/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/9658ba0f-be26-42e0-aa65-662a4f885043/
SH256 hash:
301100e0a70ad1fd82e8f2bb288f67f81ac9d4432e6cf715a37d66e52eec564c
MD5 hash:
750b541ff3970f7f988079a4b6ea4b4d
SHA1 hash:
022fb41c3ad2bc97f77aa0e4d9a503773b019bd7
Link:
https://www.unpac.me/results/9658ba0f-be26-42e0-aa65-662a4f885043/
SH256 hash:
8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b
MD5 hash:
aaf3d3ad14b000703beaf2da3bf0d168
SHA1 hash:
1eb8efaee48df0be7adf0acecd2ec151751041bd
Link:
https://www.unpac.me/results/9658ba0f-be26-42e0-aa65-662a4f885043/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a009a9d847c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321350/

Comments