MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a6016c2c0c6f0f93777ef146ea61c8b871acc8bb7f726d05c6ae48a100b745f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a6016c2c0c6f0f93777ef146ea61c8b871acc8bb7f726d05c6ae48a100b745f
SHA3-384 hash: 962742e01db8ee3ae490880dce77499506be4488b14cee98fd1e550b75a63682cc60e6141bc405d72b65aa68a8fdcc79
SHA1 hash: fd6f29a4c81eb57eb17520986d12672b3f63105a
MD5 hash: 85a792c02899cfa606d8e655d46f8d86
humanhash: delaware-two-juliet-item
File name:SecuriteInfo.com.Win32.PWSX-gen.10034.10627
Download: download sample
Signature AgentTesla
Create hunting rule
File size:665'088 bytes
First seen:2023-08-14 03:27:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:BPP4lrrykgSgQefxnf19FTzPcn0bEBkajgOtEqa98Ml3udW3U:ZP4lXrgSgZZf5P4ww1El8MkcU
Threatray 5'568 similar samples on MalwareBazaar
TLSH T1F7E42254269C0FBBC9FB5BFD949870B407B253A33325D709598631E24AB37062B12E6F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
386
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.10034.10627
Verdict:
Malicious activity
Analysis date:
2023-08-14 03:28:59 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/7756365b-bc61-48bc-afee-6435d3d994b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442551/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.10034.10627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/8a6016c2c0c6f0f93777ef146ea61c8b871acc8bb7f726d05c6ae48a100b745f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5bf4b75-3c11-45ac-981c-0c553c7da624
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290761
Signature
.NET source code contains potential unpacker
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a6016c2c0c6f0f93777ef146ea61c8b871acc8bb7f726d05c6ae48a100b745f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 02:18:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjqbnqway3ypsn3x54kg5jq4rodrvtelw73snuc4nlsiuealorpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
32db09e8cfd829ef38b2604520f7e10b4f353c21883dec276fc4f690594e07a7
AgentTesla
3441f09f92a9f9234013c0a3484c812f4cde252c191f4212bc24c81f04e7874f
AgentTesla
51f07741241cafeb5f72535e1b04f3b5e258a2587b5d2f1d8d67a180ec02ceee
AgentTesla
645ad77845422397cbbf8d693ac930047571abae040f058b88d2b5555b1f0754
AgentTesla
76a66f7fc55ad34fec963c42be5a025aef31ed950c2f1bcca415d2754572213b
AgentTesla
91cebe14386e053247997445208e08475f64480520316f826e252dd11431e240
AgentTesla
946697229fabf9901bfa8ed8800acbbf514c952baa747741bf6d2529497295b7
AgentTesla
9f67e7fe9d42fd8fdb38ad26d81b93a2d6bf143e3ca5b7ca72733605b2dc2f5b
AgentTesla
aba16ed8d742b8ebeb80e736ec3ad99e4480eeb977a1aeb3ec124dc7d7b3e546
AgentTesla
+ 5'558 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230814-d1b4caha47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7b1e678c7c4eee7e46e6cfbd53bb95989e81b129d289bca515545a19a6e02a58
MD5 hash:
69d3955a4822a33a3019d1c11458205b
SHA1 hash:
de29084906a9d27fb055e35d4b9615fc4d357093
Link:
https://www.unpac.me/results/adbb8772-192e-40ba-8e04-fbfb78813670/
Parent samples :
3f0862dc7485fc5c5d3eab573dd2dfedad47241d7dbaf7c8cfd218ff105a0ace
14f4fe0a5de3161df5631f5f50d4caf56f29e6a6a26c536ac6956944d8883b0e
9289314aab6aaed64dae4f685d00bf936b7e43f03105a88e5ec457b82261e41e
486d2fae164dfd24b2d443ffd775d83f33136a746bded12f3e05cade26bacd24
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/adbb8772-192e-40ba-8e04-fbfb78813670/
SH256 hash:
75bb5f6eceaf03c49eb5ff58332e5aa89889415085ded05e752e096663a0458d
MD5 hash:
0670c031b773a7e548b3f00beeabbb8b
SHA1 hash:
7b1d13c5b371e9f9cddc5f168ec0032739d4eeb7
Link:
https://www.unpac.me/results/adbb8772-192e-40ba-8e04-fbfb78813670/
SH256 hash:
17d374210ab665bff4abd342a9e54635f90481f9371b3d6aabca860bdbef7706
MD5 hash:
8b5f3d46fb2424f6301a0c8635c42cf3
SHA1 hash:
79468f89d90cc8e46139b457b8fe97e9f7527406
Link:
https://www.unpac.me/results/adbb8772-192e-40ba-8e04-fbfb78813670/
SH256 hash:
8a6016c2c0c6f0f93777ef146ea61c8b871acc8bb7f726d05c6ae48a100b745f
MD5 hash:
85a792c02899cfa606d8e655d46f8d86
SHA1 hash:
fd6f29a4c81eb57eb17520986d12672b3f63105a
Link:
https://www.unpac.me/results/adbb8772-192e-40ba-8e04-fbfb78813670/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a6016c2c0c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a6016c2c0c6f0f93777ef146ea61c8b871acc8bb7f726d05c6ae48a100b745f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442551/

Comments