MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69
SHA3-384 hash: 7d1536ba22b53cca64fdef0a773dda9f147a5f43e11d4c85086f766f6f4711efdd4f50eceb1aa98b54ed1ad93af63743
SHA1 hash: 02014cef4c5f396b57dddeed51d4680820719c08
MD5 hash: b35400ca7cbdd559496657d19478c889
humanhash: asparagus-football-pasta-pluto
File name:FC.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:737'280 bytes
First seen:2023-10-02 11:43:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:XMYnQ3j67SESV1eXl8OhA90aAKgbg5KgIGM0TmxvNpiAQ+kuhC8FD4L7gQWO7s5L:XBaAZbg5jRvU1SulD4tWU+zYe
Threatray 5'704 similar samples on MalwareBazaar
TLSH T1E1F4E19177D9F8CCE6AB79734CF5810002726E476867C24EBD0176AC96B23C36A86D1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f08f898c8e8a8fb0 (37 x SnakeKeylogger, 19 x AgentTesla, 17 x AveMariaRAT)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
FC.EXE
Verdict:
Malicious activity
Analysis date:
2023-10-02 12:34:18 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/e8f743cb-e021-408d-9935-1a16af919cce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452604/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Launching a process
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/651aad040870810f018ae6c6/reports/484646af-8a5f-4d26-88ca-9afaa95c5a53/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a52fbcdf-8325-41f9-9314-cc616ea21b43
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317878
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Copy file to startup via Powershell
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317878 Sample: FC.EXE.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Antivirus detection for dropped file 2->41 43 11 other signatures 2->43 7 FC.EXE.exe 3 2->7         started        10 anydesk.exe.exe 3 2->10         started        process3 signatures4 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->45 47 Bypasses PowerShell execution policy 7->47 12 powershell.exe 13 7->12         started        16 FC.EXE.exe 2 7->16         started        19 anydesk.exe.exe 2 10->19         started        21 powershell.exe 11 10->21         started        process5 dnsIp6 27 C:\Users\user\AppData\...\anydesk.exe.exe, PE32 12->27 dropped 49 Drops PE files to the startup folder 12->49 51 Powershell drops PE file 12->51 23 conhost.exe 12->23         started        29 zqamcx.com 78.110.166.82, 49796, 49799, 587 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 16->29 31 windowsupdatebg.s.llnwi.net 16->31 33 mail.zqamcx.com 16->33 35 mail.zqamcx.com 19->35 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->53 55 Tries to steal Mail credentials (via file / registry access) 19->55 57 Tries to harvest and steal browser information (history, passwords, etc) 19->57 25 conhost.exe 21->25         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 11:43:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rp56nrslh2n3l2q655f5q6duz56jkiplkwxllqf6z3tma3v5lvuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0331ca586f68e8a853e9030635f249dba8337da5ef7c29521c373807fcce1a6f
AgentTesla
113e16425e010952150f3c1f7ae615602cd4ca30826b0e7518aa058341058a94
AgentTesla
445e78195ac6fda213fe26c8263f5362d0f3f61ff4d5f11e9c1293298a1b422f
AgentTesla
51750c80c00e61d2d5017c6b82a935000ac8ba5d38b7bc37b4ed98f193785148
AgentTesla
984be8706b65a53d26f032b9471751943cbf5e35d8c4baabcac153053949e283
AgentTesla
cd024d5e9533b28abd95f67a9c4fe4813e179ad4bbb7c70cfaba546eaf21a73f
AgentTesla
d85278c4099b913c69779c4b69a0c85cbb0d7cbe72ae9a324b798a0fd2e02fb7
AgentTesla
+ 5'694 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231002-nv5tksbd94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b0a5bde203404c5a11167cd0f11a60c039dd4766c2d20b7b0f1564563a951d04
MD5 hash:
1c35586d4dc1efccead9458191b70caa
SHA1 hash:
ef22b6acf15ea63518272a5e751afeb5640f1bff
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/c8c9dba1-09d2-4b04-805d-2d1910bc779c/
Parent samples :
8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69
a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e
SH256 hash:
d63d539c511bf6b1d9bf0d3d26b1bb9e2842f68ef9b6dee4a69613aedeaac91b
MD5 hash:
513221d956206f687a9c1092b481bd00
SHA1 hash:
870808702a2eabc08e63ee8ec11344e6d38750bf
Link:
https://www.unpac.me/results/c8c9dba1-09d2-4b04-805d-2d1910bc779c/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/c8c9dba1-09d2-4b04-805d-2d1910bc779c/
SH256 hash:
8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69
MD5 hash:
b35400ca7cbdd559496657d19478c889
SHA1 hash:
02014cef4c5f396b57dddeed51d4680820719c08
Link:
https://www.unpac.me/results/c8c9dba1-09d2-4b04-805d-2d1910bc779c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bfbe6c64b3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 9ac5e743f998bbcc92e816a2c555e8d854cbbda0f57515a8ed014121a5fcc5f4

AgentTesla

Executable exe 8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9ac5e743f998bbcc92e816a2c555e8d854cbbda0f57515a8ed014121a5fcc5f4
Cape
Cape
https://www.capesandbox.com/analysis/452604/
  
Dropped by
MD5 67187e9132d42169734ffd34d72babb3

Comments