MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2
SHA3-384 hash: ae36e26bfbc5959e4b3d6c86f736690667814bd5aeeb77f22d148d77330d051b4d9f843e601c17952f916a24f0fcd78d
SHA1 hash: ab671d8df830539e66c55bd5696f6a2d167f4481
MD5 hash: bb9a52498d51d72770132d7a3a87dd22
humanhash: one-lion-cold-beer
File name:PDF4567823.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:475'136 bytes
First seen:2020-09-22 13:35:53 UTC
Last seen:2020-09-22 15:05:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:3urVvGt4mbGJgoZZcX9ETbUtvhC6DOi86sS2KBEULSjl38LzI0DkF70+h:3dtdggcsUbUtvhnD186s9aEULSxjnn
Threatray 110 similar samples on MalwareBazaar
TLSH A5A428B62D43847CC999C339596A84C0F93613CA36935A0DB1AB831C2D166CB7F7E25F
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/64395/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34569171.20632.26142.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/472417
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-09-22 02:04:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrwedwha6r4ldpqrxe4l7aygn2gppkfsstayzepawjlq6rsly3ja._file
Verdict:
unknown
Similar samples:
0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0
AgentTesla
0c6a73b0b33c6066230a29068a36779bc1c4ecfc98ffdd5c49ce5abe406a60f2
AgentTesla
62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab
AgentTesla
80f341333728513fea45dc07c8582e5a8c3ac630de39b53ef23d1742ddc0f5d2
AgentTesla
885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683
AgentTesla
923909fa41e21d68dbc11443fe31cf99d2792014767e276dd9aa7289a78afa06
AgentTesla
99afa20e22dac4e8fd5f536c3fd6c806fa6a9f52a0458c0c1a90fdc3e8a1f3f8
AgentTesla
a4b6103b1dfe717301995f598b140b0ce26e7a1541f45b6ed6485c05dca2692a
AgentTesla
c639621985cf5e13b426c10f605d28767636aabd6ac4e8d16da8ddc2c2bbc356
AgentTesla
fe13b5826a85afc204c9be0a3c8da5fb28844c5d7829413d23dd7e4229400bf4
AgentTesla
+ 100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200922-nf2dnvxp4a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/64395/

Comments