MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
SHA3-384 hash: 76955cfce223084488f0a987521ea1fc70316dba0147916f05b98ceaf234a5cb42192c261f3c88af3ef0ab388ca840aa
SHA1 hash: aea0dc9969e6a6d179fa0a0d982e672dd0296acf
MD5 hash: a90c751af10335be48aa30d221628e1a
humanhash: failed-bluebird-iowa-salami
File name:a90c751af10335be48aa30d221628e1a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:589'824 bytes
First seen:2020-11-18 11:04:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:P+gSY8nx51CmtUBMh3j5aSt8lSqPW4ztD+XHpSGJNRiGxakT:98x51/SU3FptIBpOlJNkGxa
Threatray 1'355 similar samples on MalwareBazaar
TLSH 15C423631FAC8AACE1AE0275E1B608DC09B6B5916421D6D1ED0CE19E33B3F5861747F1
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.461.19157.27337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/540923
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319563 Sample: JAwKglsbZ8.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 80 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 Machine Learning detection for sample 2->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 2->61 8 JAwKglsbZ8.exe 2 2->8         started        12 None 2->12         started        14 None 2->14         started        16 None 2->16         started        process3 file4 51 C:\Users\user\AppData\Roaming51one, PE32 8->51 dropped 53 C:\Users\user\...53one:Zone.Identifier, ASCII 8->53 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->63 18 WerFault.exe 8->18         started        21 schtasks.exe 8->21         started        23 schtasks.exe 8->23         started        65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 25 schtasks.exe 12->25         started        27 WerFault.exe 12->27         started        29 schtasks.exe 14->29         started        31 WerFault.exe 14->31         started        33 schtasks.exe 16->33         started        signatures5 process6 file7 49 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->49 dropped 35 MpCmdRun.exe 21->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 29->43         started        45 conhost.exe 33->45         started        process8 process9 47 conhost.exe 35->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 07:51:46 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
3a5b1c9c7e10e40551f26dafe302f056f86ce6c6c138a96b0b79389a095b7fca
AgentTesla
51477b02467aaaf53423652ed3cad01fc40fa63725602913aa6a84a0a748ddd9
AgentTesla
a21e38f8f6be5ca6ad235835b89f774e142683615b5bec677d3cf49fe78c2f16
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
a3230e59a4a3a5f499ff5d3f6a6d595ba1be76befacea3a3770d9980298d4583
AgentTesla
aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
e694eadb2f24bf7de44a2cc1d1fbc3d2e84d83d6cac2be444aef377bea95cc29
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
+ 1'345 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201118-rn4emy2416/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
399963bbfcc13b0d12972a46e7f47a59faf4bb79d6858a42a73b2c179eb7e004
MD5 hash:
fc5be5a2ca481059fb517ba2b0b71eab
SHA1 hash:
21996270b8262542be8af8bb0943c1dd40a6aaa8
Link:
https://www.unpac.me/results/ed07b5c4-19ca-476f-be2c-1c08b5f76344/
SH256 hash:
5780ec8d907b6679866dd053898329161f8bb81dc50d70ea49265941fda3705c
MD5 hash:
ec6c8ff13215b8edb95e968f53220368
SHA1 hash:
2337399abdaea5af6286020c45b1a51a5463f5f7
Link:
https://www.unpac.me/results/ed07b5c4-19ca-476f-be2c-1c08b5f76344/
SH256 hash:
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
MD5 hash:
a90c751af10335be48aa30d221628e1a
SHA1 hash:
aea0dc9969e6a6d179fa0a0d982e672dd0296acf
Link:
https://www.unpac.me/results/ed07b5c4-19ca-476f-be2c-1c08b5f76344/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828903/
  
Delivery method
Distributed via web download

Comments