MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d95f2f2b793889bd6d3b1423127e0f919fc8d8211a47aac6949b5efc330aef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d95f2f2b793889bd6d3b1423127e0f919fc8d8211a47aac6949b5efc330aef6
SHA3-384 hash: 584f6b7cad57f533aeaf078e9d84f03f1fe15e03956ee4dba88d62e8b4623482ffb5e348765548ed07c03db6b6d8899f
SHA1 hash: 7f8a011dce4769cf9c48084b14ee62db02d807be
MD5 hash: 745688e6fd8fee733dad4b595f9f9a7f
humanhash: dakota-wolfram-michigan-speaker
File name:8D95F2F2B793889BD6D3B1423127E0F919FC8D8211A47.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:139'264 bytes
First seen:2022-07-31 06:05:49 UTC
Last seen:2022-07-31 06:32:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:GGXj85cfXghc/XhijWWQR27YzYyfdpQqosBX5kMsOxylt:zj8qIhv07Qqo
Threatray 26 similar samples on MalwareBazaar
TLSH T13ED37C203AEAC01AE173AE75C9D4B5F6A61EBE72E607941F18523F477233940CDD2939
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 9325252b2b17332b (2 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://airnicoltd.biz/branch/tesladey/panel/post.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://airnicoltd.biz/branch/tesladey/panel/post.php https://threatfox.abuse.ch/ioc/840557/

Intelligence

File Origin
# of uploads :
2
# of downloads :
441
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295319/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.19347.15523.8749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Setting a keyboard event handler
Sending an HTTP POST request
Reading critical registry keys
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed upatre
Link:
https://www.filescan.io/uploads/62e61bcb6336465f2afb20f4/reports/94e31732-ef85-4f48-ae5b-38506ed3052f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/482a29f5-9355-4197-9f71-06b93068706d
Result
Threat name:
Agent Tesla, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043719
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected Agent Tesla keylogger
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676213 Sample: 8D95F2F2B793889BD6D3B142312... Startdate: 31/07/2022 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic 2->30 32 Multi AV Scanner detection for domain / URL 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 7 other signatures 2->36 6 8D95F2F2B793889BD6D3B1423127E0F919FC8D8211A47.exe 1 6 2->6         started        10 WinDecode.exe 2 2->10         started        12 WinDecode.exe 2 2->12         started        process3 file4 18 C:\Users\user\AppData\...\WinDecode.exe, PE32 6->18 dropped 20 C:\Users\...\WinDecode.exe:Zone.Identifier, ASCII 6->20 dropped 22 8D95F2F2B793889BD6...FC8D8211A47.exe.log, ASCII 6->22 dropped 38 May check the online IP address of the machine 6->38 40 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->40 42 Injects a PE file into a foreign processes 6->42 14 8D95F2F2B793889BD6D3B1423127E0F919FC8D8211A47.exe 15 16 6->14         started        44 Antivirus detection for dropped file 10->44 46 Multi AV Scanner detection for dropped file 10->46 48 Machine Learning detection for dropped file 10->48 signatures5 process6 dnsIp7 24 checkip.dyndns.org 14->24 26 checkip.dyndns.com 193.122.6.168, 49690, 80 ORACLE-BMC-31898US United States 14->26 28 airnicoltd.biz 35.205.61.67, 49691, 49692, 49694 GOOGLEUS United States 14->28 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->50 52 Tries to steal Instant Messenger accounts or passwords 14->52 54 Tries to steal Mail credentials (via file / registry access) 14->54 56 4 other signatures 14->56 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d95f2f2b793889bd6d3b1423127e0f919fc8d8211a47aac6949b5efc330aef6/
Threat name:
Win32.Trojan.Olock
Create hunting rule
Status:
Malicious
First seen:
2017-08-03 17:55:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwk7f4vxsoejxvwtwfbdcj7a7em7zdmccgshvldjjg267qzqv33a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cf22420a396d9602d5028670b9e175550da36e8fe4c3bbe85a4de01419d8f2f
AgentTesla
25117250468990f967ad94aa32ef8f26151f80a67516c5523a1d6e41b4b8428b
AgentTesla
7c207a6ad28507e302b1165849b57a09695482d5c07bae27dcbba92a55163e5f
AgentTesla
94d008685ba759f32d3b80b5542394c9bd4a4f2ca42781cb67f31a7460244bcc
AgentTesla
aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
AgentTesla
f5e23cbdcbf36965b01e53f19105eeb7edf3c7a2c68aaa320fd666d19c193f32
AgentTesla
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/220731-gtqvpschdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
fe66c4a8fe7ac24e92501419e7650878728be2aabbf0125c96fa301867758a86
MD5 hash:
690fe7557a4707dce736edfd0473e388
SHA1 hash:
f8dc91f778fa04a525b4697cb5d07e0981e2611d
Link:
https://www.unpac.me/results/dff62079-4050-4d9a-a60b-4c0affe85b74/
SH256 hash:
83e439f0575e3c509d8b609cadc8a45bde76e8d4710f71fde348c9b054d9b7ca
MD5 hash:
12c015960f9db7c6ac89c18f9a5f509d
SHA1 hash:
91cad3a6547e212ef9ec3f5e74146cf7609627be
Link:
https://www.unpac.me/results/dff62079-4050-4d9a-a60b-4c0affe85b74/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/dff62079-4050-4d9a-a60b-4c0affe85b74/
SH256 hash:
8d95f2f2b793889bd6d3b1423127e0f919fc8d8211a47aac6949b5efc330aef6
MD5 hash:
745688e6fd8fee733dad4b595f9f9a7f
SHA1 hash:
7f8a011dce4769cf9c48084b14ee62db02d807be
Link:
https://www.unpac.me/results/dff62079-4050-4d9a-a60b-4c0affe85b74/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d95f2f2b793/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d95f2f2b793889bd6d3b1423127e0f919fc8d8211a47aac6949b5efc330aef6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:agent_tesla
Create hunting rule
Author:Stormshield
Description:Detecting HTML strings used by Agent Tesla malware
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295319/

Comments