MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339
SHA3-384 hash: 25f0254255763cfb8d016a50126dad167be081949ab17ebb5116310853fd5ba98f2f085fbc34990dc93701cc533ab572
SHA1 hash: c098cb76892d3a15e411df6f7609898bb3eded3c
MD5 hash: c9529a25d594961e607b4dcae422cb3a
humanhash: spaghetti-iowa-stream-twelve
File name:8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339
Download: download sample
Signature AgentTesla
Create hunting rule
File size:993'261 bytes
First seen:2023-09-05 10:50:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:NTbBv5rUanD9l9oJVxmemCppraBGa6mXcqIAXiAQFSDJ:HBja7xmem6prvLAXiAVV
Threatray 5'468 similar samples on MalwareBazaar
TLSH T1D0251202BAC15872C472193759B4AB21AE7DBD305FA58ECFA3C04A2DDE315C1D631BB6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4d4d4cce4e8e0 (27 x AgentTesla, 19 x Formbook, 17 x DBatLoader)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339
Verdict:
Malicious activity
Analysis date:
2023-09-05 10:49:44 UTC
Tags:
autoit stealer agenttesla
Link:
https://app.any.run/tasks/a907902a-83bb-4cbe-9ba9-09698abcb2a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446293/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
DNS request
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit cmd control evasive greyware keylogger lolbin overlay packed replace setupapi shdocvw shell32 wscript wscript
Link:
https://www.filescan.io/uploads/64f70817c95366b9efff6b4e/reports/6a68a28f-2d6a-4224-88b8-13e07135fe38/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d16969dd-68ec-41ff-a307-c544e1e5792f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303448
Signature
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AgentTesla
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303448 Sample: MJmNRo1rSC.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AgentTesla 2->52 54 3 other signatures 2->54 9 MJmNRo1rSC.exe 75 2->9         started        process3 file4 40 C:\Users\user\AppData\Local\...\lwbgvhqn.pdf, PE32 9->40 dropped 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->68 70 Starts an encoded Visual Basic Script (VBE) 9->70 13 wscript.exe 1 9->13         started        signatures5 process6 signatures7 72 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->72 16 cmd.exe 1 13->16         started        18 cmd.exe 1 13->18         started        21 cmd.exe 1 13->21         started        process8 signatures9 23 lwbgvhqn.pdf 2 16->23         started        26 conhost.exe 16->26         started        56 Uses ipconfig to lookup or modify the Windows network settings 18->56 28 conhost.exe 18->28         started        30 ipconfig.exe 1 18->30         started        32 conhost.exe 21->32         started        34 ipconfig.exe 1 21->34         started        process10 signatures11 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->66 36 RegSvcs.exe 15 2 23->36         started        process12 dnsIp13 42 asgamaltex.com 104.152.168.38, 49719, 587 CROCWEBCA Canada 36->42 44 mail.asgamaltex.com 36->44 46 2 other IPs or domains 36->46 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->60 62 May check the online IP address of the machine 36->62 64 2 other signatures 36->64 signatures14
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 07:39:26 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjcadmv72g7xzwede6wxabav23lylvskia4wobjp7d4qouxtkm4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894
AgentTesla
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
AgentTesla
60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38
AgentTesla
64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a
AgentTesla
6c50963cb2f68cba3949a030f3e9520c239f096d22de4f104670588758dd9d26
AgentTesla
6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d
AgentTesla
715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
AgentTesla
ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b
AgentTesla
ee0fac5b1ab0a1e4c8efadea7919f8f1105d0928ca3a7c359a65af0246e06cf1
AgentTesla
fb25c8a64c09f9c4e8c586b94d5cda1dc69be203b786ea297f9293d7bd7b8b30
AgentTesla
+ 5'458 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230905-mxtcwseh21/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339
MD5 hash:
c9529a25d594961e607b4dcae422cb3a
SHA1 hash:
c098cb76892d3a15e411df6f7609898bb3eded3c
Link:
https://www.unpac.me/results/cd4791de-13dc-4ce3-af82-0ae0f4d576bb/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a4401b2bfd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446293/

Comments