MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c1a778e7827034eb26331b4502ee7454b7650718a491a1d51e3e449c5295c93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c1a778e7827034eb26331b4502ee7454b7650718a491a1d51e3e449c5295c93
SHA3-384 hash: 80c58a22abdbd87cd82b9083dffcb69016373d40c66e19e4daca42c6eb92539cd110979b3f667277859fd7e404db63f8
SHA1 hash: f40a7544aa9e7d8cee516484f8d5a51879b944bd
MD5 hash: 7bed25cd63b443f1c3c1e69c1cfcea84
humanhash: louisiana-mexico-table-eighteen
File name:7bed25cd63b443f1c3c1e69c1cfcea84
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'408'512 bytes
First seen:2021-07-20 10:16:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:mJClwfEwKrvDB+eKR+WnMz7oDVOycjkWiQm04s2Jgl/:rNQeKVy0D0y2m0f2Jg
Threatray 7'075 similar samples on MalwareBazaar
TLSH T196559F92B2539A89EC7F47F17C2AA42026F3BD5ED558C10C3DDDB25A65B3311209FE0A
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7bed25cd63b443f1c3c1e69c1cfcea84
Verdict:
Malicious activity
Analysis date:
2021-07-20 10:20:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8ced2be4-9a3e-4386-9f2e-b0d1bd55322b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172770/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e24d5adb-0460-47aa-9148-5bc6b5cef54b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818835
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451243 Sample: CSBjU21GNY Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 7 CSBjU21GNY.exe 7 2->7         started        11 newfile.exe 5 2->11         started        13 newfile.exe 2 2->13         started        process3 file4 33 C:\Users\user\AppData\...\RuhJRPPoGhWZ.exe, PE32 7->33 dropped 35 C:\Users\...\RuhJRPPoGhWZ.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpB493.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...\CSBjU21GNY.exe.log, ASCII 7->39 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 15 CSBjU21GNY.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 CSBjU21GNY.exe 7->21         started        23 CSBjU21GNY.exe 7->23         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 25 schtasks.exe 1 11->25         started        27 newfile.exe 2 11->27         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 15->41 dropped 43 C:\Users\user\...\newfile.exe:Zone.Identifier, ASCII 15->43 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->45 47 Tries to steal Mail credentials (via file access) 15->47 49 Tries to harvest and steal ftp login credentials 15->49 51 2 other signatures 15->51 29 conhost.exe 19->29         started        31 conhost.exe 25->31         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c1a778e7827034eb26331b4502ee7454b7650718a491a1d51e3e449c5295c93/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 09:51:09 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05f834fefed4e4fa735bf5e231ab5563529102c0c59890439419085d3c395b9c
AgentTesla
113eabe35a49134e8f6b1ba27c748826ea959de70fda113a6e71f70b6740b2d0
AgentTesla
2c04fc54a89ec9b7e65a0ddbc30b50573eb98f1c83858678ee097b3940b4a028
AgentTesla
579ce1cdef20d3892cec5362aaf049ef10086e3c638a756fab24f1f32ed37161
AgentTesla
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
AgentTesla
708833adb2ee812262f329d04431f369c1e5046aa5030362c521c828af756ec2
AgentTesla
9bc27c28bbcda4a82940f28f070239600ede7afc78286e79f83fe3e1b4f80e1f
AgentTesla
a659c50e03822cd595bf5d21007b2870fda97b6d4a5d3840d68bf8f333cc47ea
AgentTesla
b093aa405373bf5f37eb5b10379ab1e10add9aaf66471e299162b60d32f98b1a
AgentTesla
f7bd786df639edd7ef050889027c751d321fc3bcf7670478da66a56cd6944c69
AgentTesla
+ 7'065 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210720-ldwz18nz8s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/1a88c9af-6090-4ae5-84e6-0cf7cede7848/
SH256 hash:
8c1a778e7827034eb26331b4502ee7454b7650718a491a1d51e3e449c5295c93
MD5 hash:
7bed25cd63b443f1c3c1e69c1cfcea84
SHA1 hash:
f40a7544aa9e7d8cee516484f8d5a51879b944bd
Link:
https://www.unpac.me/results/1a88c9af-6090-4ae5-84e6-0cf7cede7848/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c1a778e7827034eb26331b4502ee7454b7650718a491a1d51e3e449c5295c93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8c1a778e7827034eb26331b4502ee7454b7650718a491a1d51e3e449c5295c93

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1468123/
Cape
Cape
https://www.capesandbox.com/analysis/172770/

Comments


Avatar
zbet commented on 2021-07-20 10:16:18 UTC

url : hxxp://198.12.81.125/wmi/vbc.exe