MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8deda51f5f68a5c442aef9c6538f94dc97f58f8e42fc42aa64c098b78bd70f6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	8deda51f5f68a5c442aef9c6538f94dc97f58f8e42fc42aa64c098b78bd70f6f
SHA3-384 hash:	8c0db3b24ad5d31f5579fe13f8a9ebd055f57ed78771b0a4d3c9096afed436f9dfec65dd0f7bd245f355127c7642a94a
SHA1 hash:	4f9ddecdfe836801c344099983a8da84e0ed8e17
MD5 hash:	7b88926060db13c759d9009ee87b13d9
humanhash:	mirror-five-double-quiet
File name:	Invoice documents-pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	842'752 bytes
First seen:	2021-05-08 08:26:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:tgczv75TdHBVuUKvhOwmbtQ/gRMeKCSd2eChtjdr7Onr0ApPCOGGfNMbH:ey75TmvfKtEgXW4NdrCnrLCj6N
Threatray	9 similar samples on MalwareBazaar
TLSH	7C05F1721398BBA5E1BE67391971E12013F1BC14E632CB0E7DE5349E25B3B8149B274B
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/153072/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/718167

Signature

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Modifies the hosts file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8deda51f5f68a5c442aef9c6538f94dc97f58f8e42fc42aa64c098b78bd70f6f/

Threat name:

ByteCode-MSIL.Infostealer.Coins

Status:

Malicious

First seen:

2021-05-08 08:04:43 UTC

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rxw2kh27ncs4iqvo7hdfhd4u3sl7ld4oil6efkteycmlpc6xb5xq._file

Verdict:

unknown

AgentTesla

1c20cd63f9cd5546ea34171525e5410d5b00b4dec1431f6d3025a872a613ad60

AgentTesla

218f924dedd043baa7bbc8428c4b5524e8e88613c0f19b749461de0fa61cb62f

AgentTesla

ae1bb452d80ac991a91861b13755c4f5c13b006c714cddcc5e03ae7263092e01

AgentTesla

bc88c73fda9a2ef51f979d2368a1039a04a0ce8199dc46b9f992a9ffacf58d8c

AgentTesla

c8c864915e84ba7ec98eed5ed70893bcb5b328e59751694595a71b303ea587aa

AgentTesla

e16e2748ad4a210f438886c9a564feb8e43e3f1396446fbcdda1512a648955d0

AgentTesla

fc3b3ec5757f584d1fe42cbba44a0cc2f70e11f02811a074b05003230e8cb657

AgentTesla

fd1dc434508928bc6ebdb5d29de7a1530f64b5d9eb8a9a577f97db741a62a644

AgentTesla

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210508-xlc224h5we/

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/219e214c-6ada-4675-b778-6f2f052791be/

SH256 hash:

8deda51f5f68a5c442aef9c6538f94dc97f58f8e42fc42aa64c098b78bd70f6f

MD5 hash:

7b88926060db13c759d9009ee87b13d9

SHA1 hash:

4f9ddecdfe836801c344099983a8da84e0ed8e17

Link:

https://www.unpac.me/results/219e214c-6ada-4675-b778-6f2f052791be/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/8deda51f5f68a5c442aef9c6538f94dc97f58f8e42fc42aa64c098b78bd70f6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/153072/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample