MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf
SHA3-384 hash: 9c43a6ed2bb401b5eb06cf25e1ad3991a09227ae2598487d44e75a52cf197bcd29522b0c9c12affec2175fc995db41ac
SHA1 hash: 07ab3c7a568d914694f546dd3c0ffc555f84bd1f
MD5 hash: fdf8e368690495690e2e6cf6763f64e3
humanhash: july-seventeen-cat-wisconsin
File name:FEBQ021 order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:137'728 bytes
First seen:2021-02-01 06:34:54 UTC
Last seen:2021-02-02 02:13:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:e1Jy9TfEb/7kYGyBIU9giNlfTlB+bRaLMPIlX2fgXtiR:e7y9TQTkYGyiNiUaHu
Threatray 2'342 similar samples on MalwareBazaar
TLSH 38D3D64177E8920DF5FB1F353AB1A0910F77BA97B822CA4C5A14169F0862F94CE71B63
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FEBQ021 order.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 06:36:04 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/943ee416-5355-4a20-bcc8-539aa1525259

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114404/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594968
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346521 Sample: FEBQ021 order.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 7 other signatures 2->56 6 zUbDt.exe 14 3 2->6         started        10 FEBQ021 order.exe 15 3 2->10         started        13 zUbDt.exe 2 2->13         started        process3 dnsIp4 28 192.168.2.1 unknown unknown 6->28 58 Multi AV Scanner detection for dropped file 6->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->62 15 zUbDt.exe 6 6->15         started        30 193.239.147.103, 49733, 49752, 49759 DEDIPATH-LLCUS Brunei Darussalam 10->30 26 C:\Users\user\...\FEBQ021 order.exe.log, ASCII 10->26 dropped 64 Injects a PE file into a foreign processes 10->64 19 FEBQ021 order.exe 2 9 10->19         started        file5 signatures6 process7 dnsIp8 32 mail.powerlinksworld.com 15->32 38 Tries to harvest and steal ftp login credentials 15->38 40 Tries to harvest and steal browser information (history, passwords, etc) 15->40 42 Installs a global keyboard hook 15->42 34 powerlinksworld.com 162.241.117.95, 49770, 49771, 49772 UNIFIEDLAYER-AS-1US United States 19->34 36 mail.powerlinksworld.com 19->36 22 C:\Users\user\AppData\Roaming\...\zUbDt.exe, PE32 19->22 dropped 24 C:\Users\user\...\zUbDt.exe:Zone.Identifier, ASCII 19->24 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->44 46 Tries to steal Mail credentials (via file access) 19->46 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->48 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-01 05:23:44 UTC
File Type:
PE (.Net Exe)
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rysn53yc3l65go5fliiqjcswz3i3awzgw77uimyjkteqlf3mjxpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20caa9bbab7ef41b3766a4fc9c1690b84b9425a1105eb563673a5000f02936b3
AgentTesla
5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae
AgentTesla
67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
AgentTesla
6f47301c8691d7f68ccf71931b8e2664fad0720d1f4d01f4bfda35cd1a076bd1
AgentTesla
89a79d6e08f22036f754947d43d1c5b6ba7865e246f462dedea0836dd748a8ea
AgentTesla
8afc7b48c3f0b24261ccda09724628ea978eb6028c07a52762f85fa7721d427c
AgentTesla
8fcfe841647c5f4d3f10b59fa63b2e2dff841b4c5c39cbfa828146281e49ad77
AgentTesla
97a573fd680ef24fba3d6d7247f05e3425696b8077f4afda2279801f6d4a57d4
AgentTesla
a08a2ea7f574259a68c3cc7d0ff2c1f46e9a57e9802cf5fc41803787564451e8
AgentTesla
c05e310c646407fa733712a98c822a5416ca1124322429d8d2a90966e909a6b5
AgentTesla
+ 2'332 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210201-pgkes48w8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf
MD5 hash:
fdf8e368690495690e2e6cf6763f64e3
SHA1 hash:
07ab3c7a568d914694f546dd3c0ffc555f84bd1f
Link:
https://www.unpac.me/results/3b0c23d0-e451-4582-84b2-424baad78028/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 99bd7a26aa0652c3ba76b97d87d480bc8f142774f7954161754df5ce7934241e

AgentTesla

Executable exe 8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 99bd7a26aa0652c3ba76b97d87d480bc8f142774f7954161754df5ce7934241e
Cape
Cape
https://www.capesandbox.com/analysis/114404/

Comments