MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ac30d34b0ae22115629145f7ee713293e3448cff719c3678bac3eff42d25699. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ac30d34b0ae22115629145f7ee713293e3448cff719c3678bac3eff42d25699
SHA3-384 hash: 38f2b9b3fc2954f07851667c7f4db930212ee8e9e4582f437dc21129d0c813a1432c774b1ce83ce3416121b104c552cb
SHA1 hash: f805e0880ccf6a158d80368adbd3034cda5d98a0
MD5 hash: a11cd7d7d557b64c8374b217ff26398c
humanhash: high-nebraska-sink-river
File name:TNT shipments.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:633'344 bytes
First seen:2021-10-12 10:11:10 UTC
Last seen:2021-10-12 13:38:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:chQcl3j4rV7eCjGC94CMOvuQJYLxpx0vrGGxU7bGv+hP4J5luYPi9uWlLTFlLDo3:c6cI7CC94CMNLjxxGZIM5fxcnn4b
Threatray 11'604 similar samples on MalwareBazaar
TLSH T11CD48355F343AC12E557167354E451E3A10869C7E8888338EBB3BAA358DE3C45B8CBDE
Reporter abuse_ch
Tags:AgentTesla exe TNT


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.aivazibis.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT shipments.exe
Verdict:
Malicious activity
Analysis date:
2021-10-12 21:17:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39e805ad-7a95-4a92-9851-473ec8e5762c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196884/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61655f74fd35fe780c3a56ad/reports/2734ce0c-18ea-4935-b593-b795663b2de4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b40cad6a-56b0-4fc3-8931-3dd924e266ec
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/868591
Signature
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ac30d34b0ae22115629145f7ee713293e3448cff719c3678bac3eff42d25699/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 10:12:06 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rlbq2nfqvyrbcvrjcrpx5zytfe7disgp64m4gz4lvq7p6qwsk2mq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04bd0fba55c5d6c085f0ec24632020b392c1fe80b66fa725c0922a41fb4d8723
AgentTesla
32b793817b07a78490aa882218fb2880723c7ba23381545a2d7facfe0cacf4c1
AgentTesla
4964c618368217328e5fb70c84e047f18e5027ae0e6ea984b1b96c38ffad77c7
AgentTesla
58940bbe4bd11e01c2d344a8b50f98c087e979bc72a9f9682f7a0d3d6a2c8746
AgentTesla
5baccdcd2956925b6280da41dbd94b190336e599b5f6f4bd1a1ed3d7ba9ca94a
AgentTesla
96bc15b0b5656a5cb8c4fc31f2967ef7204df7c498b81d0eb02188b15afcf246
AgentTesla
9d5d357ce6cce0583c44dadc795e622e0e9eae9211e88bf22e8d932935a8a0f4
AgentTesla
e6c9d7712cbb3e74662f656d5b0891c79bf175c3955fab5a791ca92e64bba8da
AgentTesla
f8d60cc318fc750f965180766b7edb64a81d86845b27b23f8d7bb0296adea2b7
AgentTesla
faed5dbd3ba84e4772ba3b085341ec335187d5da3033760f5b3578eeaf48d186
AgentTesla
+ 11'594 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211012-l8hvvscadp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
eab2bfb0d7595239f7ee0d019ffb255735f8f125bd67a37d0426ca26c4823e86
MD5 hash:
750f3b078fa53ccde72eff1e4142975e
SHA1 hash:
eca5efe68a55fe72d0420cb2654c8a9b8fa4d229
Link:
https://www.unpac.me/results/24bec650-a0cf-48dc-b993-73993fdafe51/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/24bec650-a0cf-48dc-b993-73993fdafe51/
SH256 hash:
52407f5b1a9e485c88616725cd5169f2484ac66cb68804d0738c359ad92a2f57
MD5 hash:
598b0d1475ec1211a08161ea2744c587
SHA1 hash:
2251c8d5f39a88881efed03edad3d97c2ba10fb2
Link:
https://www.unpac.me/results/24bec650-a0cf-48dc-b993-73993fdafe51/
SH256 hash:
8ac30d34b0ae22115629145f7ee713293e3448cff719c3678bac3eff42d25699
MD5 hash:
a11cd7d7d557b64c8374b217ff26398c
SHA1 hash:
f805e0880ccf6a158d80368adbd3034cda5d98a0
Link:
https://www.unpac.me/results/24bec650-a0cf-48dc-b993-73993fdafe51/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8ac30d34b0ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ac30d34b0ae22115629145f7ee713293e3448cff719c3678bac3eff42d25699

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8ac30d34b0ae22115629145f7ee713293e3448cff719c3678bac3eff42d25699

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/196884/

Comments