MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dc22e1920473eca003886953bc32cb4fe5c1ba16c8a6c6bced7fda43a421426. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	8dc22e1920473eca003886953bc32cb4fe5c1ba16c8a6c6bced7fda43a421426
SHA3-384 hash:	6c2579739f27513ca9bcb4705cca11ecbd1e7602a58f5bc49571806b056eacee89c6c22a440d52de8df5a8df8c0b748a
SHA1 hash:	32ead1974a269272d18767511d41071c616ad593
MD5 hash:	07c6c251f9becf11bdd45a217a5a08b9
humanhash:	venus-football-wolfram-artist
File name:	Purchase Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'435'072 bytes
First seen:	2021-05-03 12:56:39 UTC
Last seen:	2021-05-03 14:00:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	1536:bBN3blRO/0BkEz6rLYXKjZtrBNm3mFfcTXzhoXXtZJh0pQnsdiffd1FD9Dxt7hI6:bjm
Threatray	37 similar samples on MalwareBazaar
TLSH	3DB5416132FB2A807EB5F81EBFAF04E85273B69471B7EB145024B15EAF96748104934F
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/148484/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.19422.3230.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/707879

Signature

.NET source code contains very large strings

Contains functionality to hide a thread from the debugger

Found malware configuration

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8dc22e1920473eca003886953bc32cb4fe5c1ba16c8a6c6bced7fda43a421426/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-03 12:57:13 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rxbc4gjai47muabyq2ktxqzmwt7fyg5bnsfgy26o2762iosccqta._file

Verdict:

unknown

AgentTesla

587df9036ffed6807865686f406ff26511a466562129803f75c5b8cd7e0f9839

AgentTesla

728beffcc4c6b9cab51ed5b4a459cc6f996ba0eb1a1e8c29f567de5701abcd91

AgentTesla

7dc99e0fc03dc0936799d5328e864b67dd8c92d3ae90798cc542449e2f0d55da

AgentTesla

abfd412e775e8a81efbd61484a67de9aed008c0e51910d9d8a9051c4ea9856b3

AgentTesla

c4ee3e5cecf3510d88b59f4122e88f50dc99a761338dd1f8fc3eff6bfed2e005

AgentTesla

cde072db2b4374550769689ef072dba357436e36d2e75c1398d24896e0deaeb1

AgentTesla

e8cac456b3e4a072d16142f0dd9f9b0500013cfefe7359e4293d4cff61f9eaf7

AgentTesla

f3c279e61de77236f3390c91dee09f02aa01974e14e429426fa174e0ff8a7512

AgentTesla

f5a3c92032bc45af8e374b619a5b6d046e6c3eadc83dc84595bffc4d6acab717

AgentTesla

+ 27 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210503-esh6x2s5g2/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

5f1afe7dc0fd30a011226a638b9010f060197bb477d45baeaf841651cd84f120

MD5 hash:

8499ff299c542705d7297d1bc694c0d9

SHA1 hash:

d0a591e2a2fa9209f6d85d8576703eaf324d69c6

Link:

https://www.unpac.me/results/dbb6844c-0118-40ca-aa28-9ed766095a21/

SH256 hash:

919ad9fe04471346cf428d8dec37416c83ce47cc22d532724f4ea03c49c5b836

MD5 hash:

9a1895bf32415fa217a53b97defcec97

SHA1 hash:

0b2158ea9370973daa87093d5116b416f1ac93bd

Link:

https://www.unpac.me/results/dbb6844c-0118-40ca-aa28-9ed766095a21/

SH256 hash:

8dc22e1920473eca003886953bc32cb4fe5c1ba16c8a6c6bced7fda43a421426

MD5 hash:

07c6c251f9becf11bdd45a217a5a08b9

SHA1 hash:

32ead1974a269272d18767511d41071c616ad593

Link:

https://www.unpac.me/results/dbb6844c-0118-40ca-aa28-9ed766095a21/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/8dc22e1920473eca003886953bc32cb4fe5c1ba16c8a6c6bced7fda43a421426

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/148484/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample