MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed
SHA3-384 hash: deb43241d2b284f5eca1e9e062eff4e18b82fb8d2c09b130a07e2a02af650b2a0c6a687d68a2c043933ab228f54922ad
SHA1 hash: f286bd2c83cc898323917855c0cd02939bf45586
MD5 hash: d9810179fbdb411ff17436205cbcc58b
humanhash: fruit-red-aspen-violet
File name:Pictures_logo jpeg jpeg jpeg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:53'016 bytes
First seen:2020-10-10 07:00:00 UTC
Last seen:2020-10-10 08:04:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:IbUL7Tnxy1pIKmvfH6lAF0CO/aIUaE4nUf2h/+:IbUrcfINv6lAFLODUaE4nUf3
Threatray 428 similar samples on MalwareBazaar
TLSH D933024AF142BD07DE750EF81953CD582BF0A7B38862C1166CC4A5ADCD41AF23B6A8DD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gvg-redsun.com
Sending IP: 58.213.91.113
From: Johnason_Chen <ccp@chinaredsun.com>
Subject: ATTACHED FILE PRODUCTS NEEDED PLEASE
Attachment: Products_Pictures_logo_Designs_ pdf.zip (contains "Pictures_logo jpeg jpeg jpeg.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487427
Signature
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296156 Sample: Pictures_logo jpeg jpeg jpeg.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected AgentTesla 2->62 64 9 other signatures 2->64 7 Pictures_logo jpeg jpeg jpeg.exe 18 4 2->7         started        12 Pictures_logo jpeg jpeg jpeg.exe 2 2->12         started        14 Pictures_logo jpeg jpeg jpeg.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 52 pastebin.com 104.23.99.190, 443, 49728, 49745 CLOUDFLARENETUS United States 7->52 48 C:\Users\...\Pictures_logo jpeg jpeg jpeg.exe, PE32 7->48 dropped 50 Pictures_logo jpeg...exe:Zone.Identifier, ASCII 7->50 dropped 66 Creates an undocumented autostart registry key 7->66 68 Creates autostart registry keys with suspicious names 7->68 70 Creates multiple autostart registry keys 7->70 18 timeout.exe 1 7->18         started        20 Pictures_logo jpeg jpeg jpeg.exe 2 7->20         started        22 WerFault.exe 23 9 7->22         started        54 192.168.2.1 unknown unknown 12->54 72 Hides threads from debuggers 12->72 24 timeout.exe 12->24         started        34 2 other processes 12->34 26 timeout.exe 14->26         started        56 104.23.98.190, 443, 49747 CLOUDFLARENETUS United States 16->56 28 timeout.exe 16->28         started        30 timeout.exe 16->30         started        32 timeout.exe 16->32         started        file5 signatures6 process7 process8 36 conhost.exe 18->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 32->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 00:50:52 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvygx37nqykfpv746iwwyi5vwzwavv76ywkveqipa6zuoi4sj7wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
AgentTesla
2c0e567384a59c0f113b5016aae24db45e1a7e39a0c9feb157eb98864af4a51f
AgentTesla
40ad91b6933578e04f70c93df1390205dda69285cb0a08337296bccf03a01d40
AgentTesla
5a6ff674194fd8f0b7221de0d402f383eec634054768bd2df0e7adc2fa825953
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
aa90926f50f27f99ae4c0001883be71b64dd0bb2f818cb39481f147f52a4658e
AgentTesla
bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828
AgentTesla
d533947ea02478e71f86ece97892e0f87c0bd966395047a6e770158642134f18
AgentTesla
dfa5e1f893c313deda7e7ea47512b756a21bba962e07cb21248b9abbdaadf3a4
AgentTesla
e0d9158031423f43664f7f990234f952a95a42de4804eda933afb59053643cd3
AgentTesla
+ 418 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
evasion persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201010-re5kwjdyyx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed
MD5 hash:
d9810179fbdb411ff17436205cbcc58b
SHA1 hash:
f286bd2c83cc898323917855c0cd02939bf45586
Link:
https://www.unpac.me/results/779b66d4-a986-4565-905a-31c32d86690c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

HawkEye

zip 58c3e15911b23e6a99e13616ceb07b43c682887d0b463806a44f789c8119e4fe

AgentTesla

Executable exe 8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed

(this sample)

  
Dropped by
MD5 796bb2c2fb582f0a0893313475df50be
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 58c3e15911b23e6a99e13616ceb07b43c682887d0b463806a44f789c8119e4fe
Cape
Cape
https://www.capesandbox.com/analysis/69708/

Comments