MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b
SHA3-384 hash: 0d9ae39072b87b09771283e1d728f3eafe15fc81f0c0b0d20b90874fc3014eaf4eab9fe294238d3771d2e683821e1c7d
SHA1 hash: 425cdd67c93562d960e4f86d9dab43b735bf84e8
MD5 hash: afb12495b0c9be1ad8acc1709ff5eb1e
humanhash: fanta-glucose-minnesota-montana
File name:LisectAVT_2403002A_19.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'353'734 bytes
First seen:2024-07-24 23:47:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:5vUYwEInDMNjcqkUg4V1NhGMlBXkZubMS:hxInghcqko5hGMlBZL
TLSH T1CA557D15B742C080F5AE2572CDE1F7F4063AFC3BDA069A1B114B3E89B0777578A36686
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 71f0f0d4ccccf070 (8 x AgentTesla, 3 x Formbook, 2 x SnakeKeylogger)
Reporter Anonymous
Tags:AgentTesla exe


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.23608.UNOFFICIAL
Create hunting rule

Win.Dropper.LokiBot-10021245-0
Create hunting rule

Win.Packed.Agenttesla-10021298-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a192c2ae21d7902eafe193
Tags:
Encryption
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm lolbin net_reactor overlay packed packed shell32 vbnet
Link:
https://www.filescan.io/uploads/66a192bd3ba51bb345a36e76/reports/937eee4a-70f9-4180-bb84-8adf55132457/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e08b209-4a6e-40a1-a8bf-608e31a1d7a9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482445
Behaviour
Behavior Graph:
n/a
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 23:48:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rq4fzmamzl6cbmhjceuurocvsdgds6oerhzzakiy7f4kzvvkkcfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection credential_access discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240724-3tgspavbqp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
AgentTesla payload
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/312ba7bb-5494-4efa-b537-d1e7e96627e6
Unpacked files
SH256 hash:
aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1
MD5 hash:
c273f926e2a29bd62cc8f27b569a0b2a
SHA1 hash:
e08d302cab3e11d776599a6b0537207fce6f9c51
Link:
https://www.unpac.me/results/6469ba1a-d18c-4952-9ad6-623123657d7f/
SH256 hash:
5aee26c78db5fe50997507661d5402280f88d1a300c54a1c9a5cb5e43ff79ae0
MD5 hash:
9109f8c9288309ada3d56f5df8ea41d6
SHA1 hash:
9afde659925f2f2d8cf789d4f53d9cf9fcb2c18d
Detections:
AgentTesla
Create hunting rule
win_agent_tesla
Create hunting rule
Link:
https://www.unpac.me/results/6469ba1a-d18c-4952-9ad6-623123657d7f/
SH256 hash:
b92b9f2cb205ae0796f6e7217ac90a7113961dccee4e8c6eddc9db971e082c2e
MD5 hash:
769e73193eafee9ac4b41516414d88f5
SHA1 hash:
59b98d93273cdfdeba8260017abac2f29ee90d8c
Detections:
CyaxSharp_ReZer0
Create hunting rule
Link:
https://www.unpac.me/results/6469ba1a-d18c-4952-9ad6-623123657d7f/
SH256 hash:
8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b
MD5 hash:
afb12495b0c9be1ad8acc1709ff5eb1e
SHA1 hash:
425cdd67c93562d960e4f86d9dab43b735bf84e8
Link:
https://www.unpac.me/results/6469ba1a-d18c-4952-9ad6-623123657d7f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments