MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d
SHA3-384 hash:	927c88c22c590e0ca3f322dca0eb54d321556809362cda463d1c75fde976b03a26d3feff5489add042f51b71519939b8
SHA1 hash:	815564d57e42730f816d9f00843c5ff55725ac97
MD5 hash:	ae90e14fc75fbd95f44554b9fd5e5809
humanhash:	football-blossom-florida-five
File name:	ae90e14fc75fbd95f44554b9fd5e5809.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	740'864 bytes
First seen:	2023-12-24 08:18:54 UTC
Last seen:	2023-12-24 10:14:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:ppwoqhQomWOHSGVHMWiuWkQxc+2L375OyOnZM73kxp3IT/QMASAdH:Dwoqh5/B2HMWiuzQxc+2L375JOZ3xpGI
Threatray	4'216 similar samples on MalwareBazaar
TLSH	T1B8F4011076784B5AC4BE27FA0525606103FAB92B752AE79C5CC671DBAD23F110F02F6B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

285

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN amadey

Malware family:

amadey

Alert

Create hunting rule

ID:

1

File name:

4363463463464363463463463.exe

Verdict:

Malicious activity

Analysis date:

2023-12-23 19:22:37 UTC

Tags:

opendir loader keylogger amadey botnet stealer hausbomber lumma vidar rat backdoor dcrat remote metasploit redline phorpiex trojan arechclient2 rhadamanthys evasion originbotnet nanocore remcos asyncrat hijackloader stealc agenttesla kelihos doina gcleaner systembc proxy purplefox risepro

Link:

https://app.any.run/tasks/82e726cd-3f11-4dbb-8961-e7ebd26557cd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox AgentTesla

Detection:

AgentTesla

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/469180/

ClamAV Detected

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6587e97bb855eb3693f1fa1d/reports/2ba826ad-abee-47fd-a460-035273215442/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3bfdbcd0-68b2-401e-9c50-665ec1ab7d84

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366642

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d

CERT.PL MWDB agenttesla

Detection:

agenttesla

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d/

ReversingLabs TitaniumCloud ByteCode-MSIL.Spyware.Negasteal

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-22 14:29:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

17

AV detection:

25 of 37 (67.57%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rtkczjtzmgaqbbiov7irqmcmqyiuz5w6stpxkakmj3xd2gify5gq._file

Threatray agenttesla_v4 agenttesla

Verdict:

malicious

Label(s):

agenttesla_v4

Alert

Create hunting rule

agenttesla

Alert

Create hunting rule

Similar samples:

5dbac89a6802a5144699a6e8a4ba1b2016857f03b0e01b6680af7f223f34f22c

AgentTesla

9a1138a162bb083659fe3716b97ed51486af388c69929decf4db49577c826bd2

AgentTesla

a8484d4b644528dca4b09691169ac66e7668a7a79c1c0e5f4ebcbd521c3d2d57

AgentTesla

e49df0f66eb42b10494df1c1c8518fe9ab49b30df38b148c2158149d52a11b91

AgentTesla

+ 4'206 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231224-j7t6dsdge7/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

UnpacMe INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Agenttesla_type2 INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients INDICATOR_EXE_Packed_GEN01 INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Unpacked files

SH256 hash:

d9332d905635c6acc256b2b8e490becf03eac90400120dd333745a48a747ff1a

MD5 hash:

ffe13edbc049ce7b6ef7a3673928633c

SHA1 hash:

9c265068b32533f1c5dffd6792605093f95a227b

Detections:

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Alert

Create hunting rule

Agenttesla_type2

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_Binary_References_Browsers

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Alert

Create hunting rule

INDICATOR_EXE_Packed_GEN01

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Alert

Create hunting rule

Link:

https://www.unpac.me/results/bcd5c39f-c082-43a9-b010-01b3d4655471/

Parent samples :

5dbac89a6802a5144699a6e8a4ba1b2016857f03b0e01b6680af7f223f34f22c
9a1138a162bb083659fe3716b97ed51486af388c69929decf4db49577c826bd2
a8484d4b644528dca4b09691169ac66e7668a7a79c1c0e5f4ebcbd521c3d2d57
8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d
088912f521813fcc47c7ed2c36f4977e049a359606909dabb46422fa78d05f2c

SH256 hash:

3a647c346ec0c567c9c0814dffac38725803e458ca209790dcc7046722c3545c

MD5 hash:

854a102f6bcd5f3ed6c72cb66c6818c9

SHA1 hash:

96b6919f7e157669b252f34b38da424aeff42bcf

Link:

https://www.unpac.me/results/bcd5c39f-c082-43a9-b010-01b3d4655471/

SH256 hash:

37fa5487de78008d41531bc37428853f9918e7e173a3ff44fe4da65e0cf6f3b2

MD5 hash:

df57c50e31469a42f8af1a2891d7c066

SHA1 hash:

20de29f88b4bf5945311faa5606f61a6d2011d48

Link:

https://www.unpac.me/results/bcd5c39f-c082-43a9-b010-01b3d4655471/

SH256 hash:

e3d65bd9581460ee982d8040e2376222317843cba4c45e1e8567a4bb2d426f66

MD5 hash:

0a64362f023ad6fb6846acba666136ef

SHA1 hash:

1cf8a0db76830c2a093084e2b04f268648a943de

Link:

https://www.unpac.me/results/bcd5c39f-c082-43a9-b010-01b3d4655471/

SH256 hash:

8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d

MD5 hash:

ae90e14fc75fbd95f44554b9fd5e5809

SHA1 hash:

815564d57e42730f816d9f00843c5ff55725ac97

Link:

https://www.unpac.me/results/bcd5c39f-c082-43a9-b010-01b3d4655471/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 8cd42ca679618100850eafd118304c86114cf6de94df75014c4eee3d1905c74d

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2739476/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/469180/