MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991
SHA3-384 hash: 8d4e5f4cbfb0abe18ea1654ddef538afe727bc58ca3e7d99c67f1eca6c23c7c448a942ccf643422a3d58342e36179e52
SHA1 hash: af2d45d98b320f58fa6494c71a1323189c1f9afb
MD5 hash: d652db68861597f6786c37937e2cfaa3
humanhash: magazine-violet-indigo-carolina
File name:TT payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:795'136 bytes
First seen:2021-03-29 10:38:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:J8K9ZWTLm6NKIq2hR8tDkyJplsgB3Fb5jhb98lf03yebrwWKiz6:39Qm+g2hR8SydR5j198lf0imKiz6
Threatray 3'546 similar samples on MalwareBazaar
TLSH CC05DF7E24A72B33C5BAC7B58CE51553B662A42A3091DA0D58E31BC11762B5339CFB0F
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991.danger
Verdict:
No threats detected
Analysis date:
2021-03-27 21:53:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d4287aa5-7d35-481a-a41d-c2f401bf58bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127552/
Detection(s):
SecuriteInfo.com.Dropper-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656763
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377313 Sample: TT payment.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 7 other signatures 2->40 6 TT payment.exe 3 2->6         started        9 kprUEGC.exe 2 2->9         started        11 kprUEGC.exe 1 2->11         started        process3 file4 26 C:\Users\user\AppData\...\TT payment.exe.log, ASCII 6->26 dropped 13 RegSvcs.exe 2 4 6->13         started        18 RegSvcs.exe 6->18         started        20 RegSvcs.exe 6->20         started        22 conhost.exe 9->22         started        24 conhost.exe 11->24         started        process5 dnsIp6 32 mail.a-k.co.ir 144.76.118.195, 49757, 587 HETZNER-ASDE Germany 13->32 28 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 13->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 13->30 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->42 44 Tries to steal Mail credentials (via file access) 13->44 46 Tries to harvest and steal ftp login credentials 13->46 52 4 other signatures 13->52 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->48 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->50 file7 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-24 09:57:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrelfmn2hiissrnbxuqhadwbffnzurrcrkqyg2p7umijo6dkpgiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
1d489bde326240c639875d1adbf09d0d3614cde9ac3a7561cff8d7fb297ee56c
AgentTesla
451381760beee5124df9d6fe4d2a447dfcb420473800e9004d86159a0396547f
AgentTesla
4f7d5341938d454623f7967c63c923f88241e9cd17683061fc859dc6a262f6ee
AgentTesla
6ca16a6db9d7c0485eda77ec2e88fdf53a446982da3185a6cae2c6dc657e4d50
AgentTesla
a222707d7596b243326b50df4ce981b8c572d22808465d805592f6441ab7f871
AgentTesla
abec75c995b6bac05ca3aa49002dedb12a4fc7194e93f814f3edbb996d9cfa7a
AgentTesla
ca8d2b47b68c7da2724b641ced05c71eb70b612b7fe02d9b2d89764d68b05be0
AgentTesla
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
AgentTesla
dbce8fe278a2c14f6e9d1db1d536d087da864d9870ee364dcb4c89322604729e
AgentTesla
+ 3'536 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210329-2drv8s1kxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
6a166ff0e110cab6e072805ee8f77409ff24a6c0b8f6c5eb14d4216f6213dd49
MD5 hash:
b4d5da691c04d2fd15d5e9ffbad9e6a6
SHA1 hash:
c2958a1f47e11dc566eb902650a95c930018991f
Link:
https://www.unpac.me/results/2848bd9e-3f9f-42cb-b49c-26cece107c5f/
SH256 hash:
7c87feec999e0b3f6bac517c7b95c9075402501419e1ccca496bb5bfeda6cc4a
MD5 hash:
6959a114eb6b3c987608a7b33b6f902e
SHA1 hash:
8f7644cc9f354df2d24b2147492246e4ab10ff68
Link:
https://www.unpac.me/results/2848bd9e-3f9f-42cb-b49c-26cece107c5f/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/2848bd9e-3f9f-42cb-b49c-26cece107c5f/
SH256 hash:
8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991
MD5 hash:
d652db68861597f6786c37937e2cfaa3
SHA1 hash:
af2d45d98b320f58fa6494c71a1323189c1f9afb
Link:
https://www.unpac.me/results/2848bd9e-3f9f-42cb-b49c-26cece107c5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3dd21a591a4598a3475881f1c87e36a6e16e7fc42e90cc5ee119956ea3112a11

AgentTesla

Executable exe 8c48b2b1ba3a112945a1bd20700ec1295b9a46228aa18369ffa31097786a7991

(this sample)

  
Dropped by
MD5 f67cced60e0cd72ab403681362a75b60
  
Dropped by
SHA256 3dd21a591a4598a3475881f1c87e36a6e16e7fc42e90cc5ee119956ea3112a11
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127552/

Comments