MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d6e314c47750b11aa6099c155ecc867d1d6e2a02d2b25aff78fee643bc2c5ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d6e314c47750b11aa6099c155ecc867d1d6e2a02d2b25aff78fee643bc2c5ad
SHA3-384 hash: e7ea127bcfc2d805dc8223d9083176542456a8c11ac967c2767e8810d7b276d2946c83e868f349c4834ed5e7e187746b
SHA1 hash: 00691a8b346a8c91ca393aeabb41fa8a83102e11
MD5 hash: e01d546954b7b9c3dafb2e61549788c7
humanhash: queen-mars-sixteen-india
File name:e01d546954b7b9c3dafb2e61549788c7
Download: download sample
Signature AgentTesla
Create hunting rule
File size:744'448 bytes
First seen:2023-07-28 08:02:22 UTC
Last seen:2023-07-28 08:40:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LLJFOHkUygUTjTeqkcI5+sR3YZpWnvLexFdfy1Wt6GXQ+LdyrKCFYBojBan:+ypT7I5+sKpevaxX61V4LjCaOjBan
Threatray 5'436 similar samples on MalwareBazaar
TLSH T190F4F120B2BA1145F9F61BF2083792C012767B7B6A44D71D1959DECF8D32A8F8701BA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Purchase Order.xls
Verdict:
Malicious activity
Analysis date:
2023-07-28 06:49:43 UTC
Tags:
exploit cve-2017-11882 loader stealer agenttesla
Link:
https://app.any.run/tasks/10e46ad5-d35b-4bd3-8a4a-f177ab4f3cbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/435877/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68392776.23012.1645.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.68392776.10814.3784.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed tracker
Link:
https://www.filescan.io/uploads/64c37638d6da59d001ade3f4/reports/4216392f-99ce-457a-97d9-20724afdbd10/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8d6e314c47750b11aa6099c155ecc867d1d6e2a02d2b25aff78fee643bc2c5ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7238ce87-37bb-4aa6-9bec-dd33fbd29f06
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281702
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d6e314c47750b11aa6099c155ecc867d1d6e2a02d2b25aff78fee643bc2c5ad/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-07-27 17:29:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvxdctchoufrdktathavl3gim7i5nyvafuvsll7xr7xgio6cywwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17ed43b0f9c5412245b4b1f37c185f7061c0eb3d0ae8af583bd25d7209dce8d9
AgentTesla
395c0eed15d4b5605921f94d489c4dad2edc8fdc816d278e3065d2baa8db3607
AgentTesla
5dd81b46f9b2a310868ab2b1ea4d61619ab039d8d19e8abff4a559930be4fe19
AgentTesla
6d5b825b8559f912c5e26bb5290bffb54c674347f98711fc9e63d2aed0bc9c12
AgentTesla
986cef185bba0f14257b360fc1488c9cf9bd3eefc66d3cf4766e99ed0217550a
AgentTesla
a3a30f5a6bcfcd96305e17acaba93ceb8e59b484e7ec4b9dbf0d8db7ccde01ff
AgentTesla
a444429e646f262a1380c2ec47c7459010b36f1ded2174026584d43070974da7
AgentTesla
a50ff27364591ebbe3589623d88752369ff33f67df2994f70d79177144376cc5
AgentTesla
aafd707672f8c520542b9a1ef2c675f057fe3d2a96262e363c11c8c542a68a2c
AgentTesla
fbd8e3fb6bcaf0e1509d30735a9c268659bf53a32f8ce933148763672e7387c5
AgentTesla
+ 5'426 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230728-jxpg6acc68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
689f593dbafc002a390e2dcd5f9348afeb0f5c35491c2174d9a512c28a79be92
MD5 hash:
bcce91511301bb99d4a3689c08d10bfb
SHA1 hash:
8f3d8a280047e93bf00e96e62e89862517253628
Link:
https://www.unpac.me/results/2b052683-9ed0-456f-8dfb-ae0d9801d5b7/
SH256 hash:
4f50f087cf0597e179b43af62034e5d6e6823c858b880b548bd6860833c9d713
MD5 hash:
264846c9e90d1bc6bcd1b5ce8d0369a5
SHA1 hash:
810c66de8e2b92d2a0ecfa2f369f6b0a3af06ce3
Link:
https://www.unpac.me/results/2b052683-9ed0-456f-8dfb-ae0d9801d5b7/
SH256 hash:
0775674b0c5003b816414295e1971f1c5ce83b7f245ce13aca00b320749cd1de
MD5 hash:
81edfe524656ce69b9a544a071ab881e
SHA1 hash:
3f9be7856e08c757c40f8beed7cd67351eae6e3f
Link:
https://www.unpac.me/results/2b052683-9ed0-456f-8dfb-ae0d9801d5b7/
SH256 hash:
7881b9100c05653e6f52490ea3edc7996e523b116bc52590a1a170f0797464e1
MD5 hash:
19d2b7874b8be0907036caefec119f56
SHA1 hash:
11cc613614514b0512d35e5e09a9a7b68f890c63
Link:
https://www.unpac.me/results/2b052683-9ed0-456f-8dfb-ae0d9801d5b7/
SH256 hash:
8d6e314c47750b11aa6099c155ecc867d1d6e2a02d2b25aff78fee643bc2c5ad
MD5 hash:
e01d546954b7b9c3dafb2e61549788c7
SHA1 hash:
00691a8b346a8c91ca393aeabb41fa8a83102e11
Link:
https://www.unpac.me/results/2b052683-9ed0-456f-8dfb-ae0d9801d5b7/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d6e314c4775/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8d6e314c47750b11aa6099c155ecc867d1d6e2a02d2b25aff78fee643bc2c5ad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2691480/
Cape
Cape
https://www.capesandbox.com/analysis/435877/

Comments


Avatar
zbet commented on 2023-07-28 08:02:23 UTC

url : hxxp://107.175.202.170/222/ChromeSetup.exe