MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e1137f7628194ecd8ee39a246a9eff87a9c86d5e1d839b45784ae36b3b37d16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e1137f7628194ecd8ee39a246a9eff87a9c86d5e1d839b45784ae36b3b37d16
SHA3-384 hash: 2b035fbfed390c38c4188b1b6dbdb158b910a0ac506f7d1321353821b336eb5296148284b8e3a34cb313019f821d0276
SHA1 hash: 1f45d1fc5cea4a4bd5f956092d7957445b0b87b5
MD5 hash: 736a43a5a0e21ce23b58c255aba81d0e
humanhash: shade-golf-alabama-cardinal
File name:736a43a5a0e21ce23b58c255aba81d0e
Download: download sample
Signature AgentTesla
Create hunting rule
File size:499'200 bytes
First seen:2021-06-29 21:15:21 UTC
Last seen:2021-06-29 21:36:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:3kjadEOCtVzWvwtcxLKjfJKWLl5ZlQVkDmOxFk2AJjgPlSskNlokvYjjs5DUwHeZ:3oiEFVzMFyJDVIkCZm8bo2YjSHzG7N
Threatray 6'326 similar samples on MalwareBazaar
TLSH 56B468EA70BB541EF0D5A6FDA591910C45A28D1C1C0EA56C0986AA35E1FEF8D0F4FF32
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
736a43a5a0e21ce23b58c255aba81d0e
Verdict:
Malicious activity
Analysis date:
2021-06-29 21:17:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c014500c-9aca-44a3-8046-e298fbb223d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168843/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.30732.23554.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55e2a273-0cde-4c09-b029-20f69fb32d24
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809694
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e1137f7628194ecd8ee39a246a9eff87a9c86d5e1d839b45784ae36b3b37d16/
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
207f05a5e84e9f10cad2447eec7aa745c5a007ab3d4b96f8fd776aa1fbdf6115
AgentTesla
3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
AgentTesla
5babc76d8775abf188f86bf11116e49f43c88f702c74ff43d23015cca8cb012e
AgentTesla
77dafc4c23c98c2d0518eb6bcee7cfc13128c249dafc4d5faefbfb67425f40e1
AgentTesla
945fd7f1f9295af69bb5799a43d96d370c2e38ef08b4fc9b8258031ff99723f4
AgentTesla
991385089fc81b1c12c749cd0ce2fcfe7e43393eb3b1fc673420dbf4abd553a6
AgentTesla
b4eb47553d21aebc1f5716c2916e89397eab193c1648449b73876c17457d356a
AgentTesla
cb8a7d1d9c86d996899769e9abac0b326053dae7f9d8fc226aabfa89f3f8d16e
AgentTesla
d23d794e3cf354c91c283e13eaeae77749e3265866758d999b99c06a98861a05
AgentTesla
e860f949006657d88539f009376c3b6ed3947e81ddd1dcc2253f0c27b1945806
AgentTesla
+ 6'316 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210629-49vxk278px/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1848104837:AAGyG0hi_VP31PmMNbynbZPjJ66-QVsVr2Y/sendDocument
Unpacked files
SH256 hash:
173aa58b574b905cf4c9182d9e1c56d400d477d386d928887c6471dfdf19688b
MD5 hash:
a73fc15cd59372575fcae03c78b20a49
SHA1 hash:
b5c1b4188e297a16215a33b0a833dce90137c68f
Link:
https://www.unpac.me/results/18201198-6cbb-40a5-b661-ff96cdc07369/
SH256 hash:
302127d6b93a1104898d772e7f2d7b4bd06be154283c02223149464c0739190a
MD5 hash:
8b49cb654e3b25ecab35bc7c392ea5e4
SHA1 hash:
cfba4f9618a030305d24aa46f5f6569448293d33
Link:
https://www.unpac.me/results/18201198-6cbb-40a5-b661-ff96cdc07369/
SH256 hash:
f163ac3c20a9b4f41b1545606337cb147a9acf884765f68075ffe05194ad71dc
MD5 hash:
17af11565a1176b587d41fa248358b10
SHA1 hash:
56901b450ab221af095ea2ef10f69b167206c93c
Link:
https://www.unpac.me/results/18201198-6cbb-40a5-b661-ff96cdc07369/
SH256 hash:
8e1137f7628194ecd8ee39a246a9eff87a9c86d5e1d839b45784ae36b3b37d16
MD5 hash:
736a43a5a0e21ce23b58c255aba81d0e
SHA1 hash:
1f45d1fc5cea4a4bd5f956092d7957445b0b87b5
Link:
https://www.unpac.me/results/18201198-6cbb-40a5-b661-ff96cdc07369/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e1137f7628194ecd8ee39a246a9eff87a9c86d5e1d839b45784ae36b3b37d16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8e1137f7628194ecd8ee39a246a9eff87a9c86d5e1d839b45784ae36b3b37d16

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168843/

Comments