MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5293f2be3df55ee4a7a4568f4b379d102bd6606d7861dd0fda17d6c79eed09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	8c5293f2be3df55ee4a7a4568f4b379d102bd6606d7861dd0fda17d6c79eed09
SHA3-384 hash:	1351abbba1f381c009ec4710dc8e80bb0e10a340332fd11be13eb354e2553054955bd2cc4643db18505380caae36b15d
SHA1 hash:	6cd7cb574cecf6c068a9058e0d191c1201095cc4
MD5 hash:	c4c5053d70c6836decabce1e1cb047cb
humanhash:	nebraska-three-ceiling-oven
File name:	GLES Inquiry G-6463.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'462'272 bytes
First seen:	2024-08-25 09:20:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:hWbSh1kQfljdsxe1o9fYxsTXrkEmDuk10Y+c2byUS3Q+MINvUc:Rdsxe1o9QxMQuk17v2bNyNnNF
TLSH	T1BD65BF0E37A44607EB1E9337D3910095C7B99117B247E38F4DCB68E92DE631A8F86663
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
File icon (PE):
dhash icon	64ccc4d4e8e0d4cc (6 x Formbook, 5 x AgentTesla, 2 x GuLoader)
Reporter	abuse_ch
Tags:	AgentTesla exe scr

Intelligence

File Origin

# of uploads :

# of downloads :

388

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

GLES Inquiry G-6463.scr

Verdict:

No threats detected

Analysis date:

2024-08-25 09:39:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f0066c07-35fd-49c7-8d64-7c9c569707c0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.LokiBot-9984555-0

Win.Packed.Agensla-10032528-0

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66caf781b2a4681a729692f0

Tags:

Execution Stealth Nekark

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Searching for synchronization primitives

Creating a file

Launching the default Windows debugger (dwwin.exe)

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade obfuscated packed vbnet

Link:

https://www.filescan.io/uploads/66caf7803f7da4780167cb81/reports/742be1ad-e9c2-499a-9ec2-0655fdf4dd21/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/8c5293f2be3df55ee4a7a4568f4b379d102bd6606d7861dd0fda17d6c79eed09

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51ef03b1-edc6-4373-9403-44f17050503d

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1498631

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8c5293f2be3df55ee4a7a4568f4b379d102bd6606d7861dd0fda17d6c79eed09

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c5293f2be3df55ee4a7a4568f4b379d102bd6606d7861dd0fda17d6c79eed09/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-06-25 00:39:44 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rrjjh4v6hx2v5zfhurli6szxtuicxvtanv4gdxip3il5nr465ueq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

execution

Link:

https://tria.ge/reports/240825-lbbqaaycln/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8690ac3f-5c41-4340-b50a-9ec5deb83e17

Unpacked files

SH256 hash:

8c5293f2be3df55ee4a7a4568f4b379d102bd6606d7861dd0fda17d6c79eed09

MD5 hash:

c4c5053d70c6836decabce1e1cb047cb

SHA1 hash:

6cd7cb574cecf6c068a9058e0d191c1201095cc4

Link:

https://www.unpac.me/results/811d27c3-4bbb-42c4-94e1-68d542996220/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8c5293f2be3d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8c5293f2be3df55ee4a7a4568f4b379d102bd6606d7861dd0fda17d6c79eed09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample