MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ba74fce8f25f937a52924d7a3fcdb6ebce1e33189bbf2d956df1f48b4337c70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ba74fce8f25f937a52924d7a3fcdb6ebce1e33189bbf2d956df1f48b4337c70
SHA3-384 hash: abf088731cc44e6efdad50da009f61e12021ebce4424e81d405f169ad50dd4cb5e2bb4426f2cfd9e7a9890ab1f1a2a87
SHA1 hash: 55bd9e9b08bef9479423c198790b9767fc678068
MD5 hash: 31bee5ae4e24247cab056a5bb765ff59
humanhash: sixteen-muppet-music-golf
File name:Outstanding Invoices.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:697'344 bytes
First seen:2021-02-04 12:59:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:rZi9709qv89IKCSDk3f2udm99X+/5nvGQh+RiY2H8BFFBb:rZy6IKTYvAMvGQhuiSd
Threatray 12 similar samples on MalwareBazaar
TLSH 4AE402562EBC4B17D1743FFA4AB0E01473B9D6562C2AD30ACFA63DC81A35F945E40A87
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Outstanding Invoices.exe
Verdict:
Malicious activity
Analysis date:
2021-02-04 13:00:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/343f1683-2a30-4909-9ce5-d724d1f52624

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115625/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/599250
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ba74fce8f25f937a52924d7a3fcdb6ebce1e33189bbf2d956df1f48b4337c70/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 13:00:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rotu7tupex4tpjjjetl2h7g3n26odyzrrg57fwkw34purnbtprya._file
Verdict:
unknown
Similar samples:
05035270f8764166652b1ca9ffcd39d1533d507d22debea6d8e93fe7d52f260c
AgentTesla
3234bc748b81ebe0c42c05f8ba90d5938664be2d70c2326d52e5b2dbde7cdc12
AgentTesla
4df82c087abde68f33236754d4c234e2d4f4cd24cdc44d3350dbbe69da58dc91
AgentTesla
881c500e546e1321c5dc627a77800f0fa8986740cd9f1c880d1ca51b1b735735
AgentTesla
abd5600b6b5f6228c095e5703429fbcecc647611fadd3e49090fbb70a8cfb728
AgentTesla
c45d3f56c8f4688a3b33b66caac9c09129f710c0350ce19ec07f1b55616fc832
AgentTesla
e2337e4c1315124c2a03694e0a37bee49d7aabe445b3a988ea619769019eacc2
AgentTesla
f2107af67057a683b0f47e63cc4f348747945cba5255da566d8bf65a1a26b47d
AgentTesla
f730752f0004b350ae3feabc65cad92908079f4ced927cf320228621eec9bac8
AgentTesla
fcd247261215a170a1644a7abd0c4003b21a81fb0dbdf928831351905e31388a
AgentTesla
+ 2 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210204-hltbe2b25n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
5dd16b35076bb6e00158d327662a1c5753ec2b0a99e471c424de5008de47fec9
MD5 hash:
d64d9d4339f7e32227f4a3dd6b542ab6
SHA1 hash:
e011f31e30545069adc370557110753e03f8639e
Link:
https://www.unpac.me/results/0c1d9672-420f-46e3-b30b-6a460cec037d/
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/0c1d9672-420f-46e3-b30b-6a460cec037d/
SH256 hash:
fa0e87e590b08c2fd588a8beb7b4f401a823dd00ad6d8c949128ff55eaa8152e
MD5 hash:
53fa937ecc90a7675c5938eb679819bd
SHA1 hash:
d07c7386a00a866862af5ad20edfad86e3ebebb2
Link:
https://www.unpac.me/results/0c1d9672-420f-46e3-b30b-6a460cec037d/
SH256 hash:
8ba74fce8f25f937a52924d7a3fcdb6ebce1e33189bbf2d956df1f48b4337c70
MD5 hash:
31bee5ae4e24247cab056a5bb765ff59
SHA1 hash:
55bd9e9b08bef9479423c198790b9767fc678068
Link:
https://www.unpac.me/results/0c1d9672-420f-46e3-b30b-6a460cec037d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ba74fce8f25f937a52924d7a3fcdb6ebce1e33189bbf2d956df1f48b4337c70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 9a5478226adb74ab2b573d4f8fdb1e28baea1aacd68961b2071cae4a5435cc78

AgentTesla

Executable exe 8ba74fce8f25f937a52924d7a3fcdb6ebce1e33189bbf2d956df1f48b4337c70

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9a5478226adb74ab2b573d4f8fdb1e28baea1aacd68961b2071cae4a5435cc78
Cape
Cape
https://www.capesandbox.com/analysis/115625/

Comments