MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5377a5c2835e5f22f14477e0c6916257e9a034cf3a73eefd8068d64d4f4924. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c5377a5c2835e5f22f14477e0c6916257e9a034cf3a73eefd8068d64d4f4924
SHA3-384 hash: 5cf4c463a2f1fabc62da5f6bcd9f0a2c15c7e67ed140f452e8becc9d119e2ab1d9a9dcfc9ab0d0bfdfa1d87acbb2560c
SHA1 hash: 526bab82fe51100badaf2697d23e21762d3faf4c
MD5 hash: fe5d10fbee1c39a5fb81bcca6eabafb5
humanhash: fourteen-double-fanta-paris
File name:8c5377a5c2835e5f22f14477e0c6916257e9a034cf3a73eefd8068d64d4f4924
Download: download sample
Signature AgentTesla
Create hunting rule
File size:676'352 bytes
First seen:2020-11-10 11:27:42 UTC
Last seen:2024-07-24 18:46:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ctoYlqBE45uluPHaVtShT8BsxEboWJFO+t3dOFwSULxt2WydfQgXVVsAoDK:pYlqBE4BPSt8LxEHa+T0ULxMia0u
Threatray 1'166 similar samples on MalwareBazaar
TLSH 1EE4CF216719AF19E07E43B798A0586083FAED46D732D62E7DF832CE15B1FE4512270B
Reporter seifreed
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529319
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 313755 Sample: o4OLQ03jVA Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 47 smtp.sunko-tw.com 2->47 49 us2.smtp.mailhostbox.com 2->49 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 9 other signatures 2->65 8 o4OLQ03jVA.exe 7 2->8         started        12 KYHka.exe 5 2->12         started        14 KYHka.exe 2->14         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\jyNwefysZQYHR.exe, PE32 8->35 dropped 37 C:\...\jyNwefysZQYHR.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmpBEF1.tmp, XML 8->39 dropped 41 C:\Users\user\AppData\...\o4OLQ03jVA.exe.log, ASCII 8->41 dropped 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->69 71 Injects a PE file into a foreign processes 8->71 16 o4OLQ03jVA.exe 2 9 8->16         started        21 schtasks.exe 1 8->21         started        73 Antivirus detection for dropped file 12->73 75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 23 schtasks.exe 1 12->23         started        25 KYHka.exe 2 12->25         started        signatures6 process7 dnsIp8 43 smtp.sunko-tw.com 16->43 45 us2.smtp.mailhostbox.com 208.91.199.225, 49760, 49761, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->45 31 C:\Users\user\AppData\Roaming\...\KYHka.exe, PE32 16->31 dropped 33 C:\Users\user\...\KYHka.exe:Zone.Identifier, ASCII 16->33 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->51 53 Tries to steal Mail credentials (via file access) 16->53 55 Tries to harvest and steal ftp login credentials 16->55 57 3 other signatures 16->57 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c5377a5c2835e5f22f14477e0c6916257e9a034cf3a73eefd8068d64d4f4924/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:33:11 UTC
AV detection:
28 of 48 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrjxpjocqnpf6ixrir36brurmjl6tibuz45hh3x5qbunmtkpjesa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675
AgentTesla
1011042b7b2b5de9a160551cd8a212a24108b85935744f0cfbe29f8729b57d17
AgentTesla
38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
AgentTesla
3d720b8602bbd7f3ae96869336ab23aa357180499b278df6631cb5d5ce645130
AgentTesla
5193daa3e21a010020f044a9167f141a4c9e62d8f19b21dc82049045a2fbee48
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49
AgentTesla
be83ef519ed5e3e444b10b4dd8a77515cda4993c6ce69f565405c9c2bd0901bc
AgentTesla
de92f367f0cd6124c89fca0b754bf8dafe8a6a993b56380edb5fc8676c58cdb5
AgentTesla
fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
AgentTesla
+ 1'156 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201110-36vrtl1fm2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8c5377a5c2835e5f22f14477e0c6916257e9a034cf3a73eefd8068d64d4f4924
MD5 hash:
fe5d10fbee1c39a5fb81bcca6eabafb5
SHA1 hash:
526bab82fe51100badaf2697d23e21762d3faf4c
Link:
https://www.unpac.me/results/5dbbe158-75c1-489a-94d0-8f0908a5273e/
SH256 hash:
8e86c638a2aaeebf1d548ac0d5728bf5d19e4170e42c24eae8d32923f7a350b6
MD5 hash:
19ab63a168cd4808a68b35f970ada9d4
SHA1 hash:
332f2cd3830e3af8ccafbce636ab75da18592741
Link:
https://www.unpac.me/results/5dbbe158-75c1-489a-94d0-8f0908a5273e/
SH256 hash:
5c18e221a217f775e04fcd5a88cd894b5c04b68b73bd824e49272c1b1c48d218
MD5 hash:
d3406fb44d7ce9f6b3f40c7ea0d3d75d
SHA1 hash:
6aa84da846394e68e8fc3a3ffc64b574506d6d94
Link:
https://www.unpac.me/results/5dbbe158-75c1-489a-94d0-8f0908a5273e/
SH256 hash:
5d3ab08a5c02ebd400b7ea883211dfec32ec1f802e9085d94f8070587c74e3fe
MD5 hash:
e2befab564213695046a8c87e1662653
SHA1 hash:
b8b1256ad55b7dff46328c2b3d7c8ef344720d9e
Link:
https://www.unpac.me/results/5dbbe158-75c1-489a-94d0-8f0908a5273e/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/5dbbe158-75c1-489a-94d0-8f0908a5273e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments