MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a4534e0f4a997c47122a1f3f689ec22234099b2807711d925727895bdc4d554. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a4534e0f4a997c47122a1f3f689ec22234099b2807711d925727895bdc4d554
SHA3-384 hash: ea7c599a64c9ba9a85df5724cac8c66349f9f13c918ff387da5df28dadac4b15603cd86cb8955fe6ed3a506c9a3e3a4f
SHA1 hash: bb996da4dc10d058a634d4679509dc52ee5fac76
MD5 hash: 78e53609d9dd91e65998cd09cdcb5fa2
humanhash: beryllium-pizza-lemon-fanta
File name:zamów 1536625_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'258'496 bytes
First seen:2021-07-07 16:44:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:NSfyGm5YHlcPptgEnnz7MXakUqOOovUAMP8jr/mRrvkbcl0biYuWOBfWlB:TmcPpSE7MXakvOxvxC+mRrvkbNbiBBBE
Threatray 6'555 similar samples on MalwareBazaar
TLSH T12845DF7930328A92CEAFC7F94B71551E4F6DAFFE904BB6741885B07800F0B5E4A5192B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.tccinfaes.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zamów 1536625_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 16:47:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b70ed84-2138-4808-9abc-7a2c989b8cb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170253/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DLO-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b284bd74-648d-4005-802b-1298a5057a5a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813027
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8a4534e0f4a997c47122a1f3f689ec22234099b2807711d925727895bdc4d554/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 14:57:18 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjctjyhuvgl4i4jcuhz7ncpmeirubgnsqb3rdwjfoj4jlpoe2vka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1efe450ba1d956b2633028670b5c62dea1cc8b8f976a9a951273fc09c798203a
AgentTesla
5dc0ae1ef10497379bb77e09ca8aa5849f5caa2409ecb993ed57677e9914d1d4
AgentTesla
990ec46fdb3a3e182ce8dac09ecfc1daa9fc07d3653d92f64b60f7474cfb4ae1
AgentTesla
9a37ae07a8196d6ebd054adb1d1e95fc3091fa6dfe42c359558520cf2eae02d5
AgentTesla
aaac88ee06cc1ac4517a21b6cf1350a69ee8f87a3fcacf94671ba9668a098c3d
AgentTesla
b1dd71be684f65897eafa065803b1212a443f5de52bce8242c3136b40ea1e9ba
AgentTesla
b86fbdeb14cd6cd5b5e144d029844e1c7d6e51c82b1bb7c3f0f07f8ff07258c9
AgentTesla
cd1021cd2a05b85705422bfa7345af95d23c928807e33befb43ebe0313209f08
AgentTesla
da62030389950c96e25e406e2c698b25cfacd49ecbdaa986421fb7995d2ee314
AgentTesla
e32303a9e778f52943af40c6aa81f4e7bd6ad9bfe99fbe495a3fc37cff6bcb98
AgentTesla
+ 6'545 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210707-4skbd8je2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
3d78e8de9182250f02ca4049c017a3d0b1c9137228d4c1db7c98e61d59b05875
MD5 hash:
03dc93922629b2b7f246f1bd1cdaa9fe
SHA1 hash:
ce815e0087c06e17ed6284e3cf8e64162c40e899
Link:
https://www.unpac.me/results/3688b386-f241-4d33-a4ef-902ecdeeb5f6/
SH256 hash:
3bbbb29ac56d10307e9db141c522be3c2554e98e35fbabd5334d706c0e2e3422
MD5 hash:
7ca8efcfc692508701f1e4e65127d9c4
SHA1 hash:
aaacd78fcf63baff62da34144fc959613ef4721b
Link:
https://www.unpac.me/results/3688b386-f241-4d33-a4ef-902ecdeeb5f6/
SH256 hash:
0d50dd4671dc62c23f269ee46fd72599d6fab4e260ba9a46b9fd5bcbe53796d1
MD5 hash:
9c6ada0167745e009aad467619812ce3
SHA1 hash:
5504ae64c4a420cda22dce0adc25bad3391a3755
Link:
https://www.unpac.me/results/3688b386-f241-4d33-a4ef-902ecdeeb5f6/
SH256 hash:
8a4534e0f4a997c47122a1f3f689ec22234099b2807711d925727895bdc4d554
MD5 hash:
78e53609d9dd91e65998cd09cdcb5fa2
SHA1 hash:
bb996da4dc10d058a634d4679509dc52ee5fac76
Link:
https://www.unpac.me/results/3688b386-f241-4d33-a4ef-902ecdeeb5f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/8a4534e0f4a997c47122a1f3f689ec22234099b2807711d925727895bdc4d554

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8a4534e0f4a997c47122a1f3f689ec22234099b2807711d925727895bdc4d554

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/170253/

Comments