MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e401cc1c138603fe09da9c9728bf91c7fe2c1f935eec17c940ee5ecde4b08bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	8e401cc1c138603fe09da9c9728bf91c7fe2c1f935eec17c940ee5ecde4b08bc
SHA3-384 hash:	1bfc379a1b2abcc470990cf0ed0f05498d62668c4aeaa88ad04f1085bbeb19e8984bbf51233f998d23196e588533f5bd
SHA1 hash:	f9708f7385e06e1a128bd11ccd3fc919f4077163
MD5 hash:	45d24afeca45856e8abebd2c73457dd3
humanhash:	quebec-alabama-seventeen-potato
File name:	OXZvtmYZMEhlMPmZBGKZkISNJPkEFfRgP.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	219'136 bytes
First seen:	2020-10-12 21:54:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	3072:aD9WKZ3mF+Da9iEGBFGvaUCffuD7QtjYLaupV+zROkn7wNf4fok4Qbeqwu0tKXqF:2SivB8yUqN6LBL+kxNQAkzv3oK
Threatray	483 similar samples on MalwareBazaar
TLSH	5124291A6715D561CB5F417FC016820831F1D707A72AD2CF1AA6D8FA2F812CEF92B8E5
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/70218/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.21465.1529.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/488998

Signature

Antivirus / Scanner detection for submitted sample

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e401cc1c138603fe09da9c9728bf91c7fe2c1f935eec17c940ee5ecde4b08bc/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-10-12 21:54:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rzabzqobhbqd7ye5vhexfc7zdr76fqpzgxxmc7eub3s6zxslbc6a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

24d32404b88210f6f5cb58362bc6122c7f7545ee8b792c075df1b0069a4f10d5

AgentTesla

3d281e94d3e3d6dc20818716a5b45e09803a5e8cace71615d950d086b563cc40

AgentTesla

493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927

AgentTesla

6564b76eec49b15e7a3f42b48fedca593b48e5f145863dd16ea519b3bcf09e60

AgentTesla

757d376a5edc5d260ab3fb209797dbbdf3ce43f6331432174b1398f14e723e20

AgentTesla

bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828

AgentTesla

bf993f6195527053ecdbb6c83a6ddd94528d867b26e04cdebbbcb6f3bfd813c8

AgentTesla

ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f

AgentTesla

ea9516237a1278248e832b77e31dabb514bdc5c40e135bf72357c9dd4380ecf3

AgentTesla

+ 473 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201012-aga7x86ctx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

8e401cc1c138603fe09da9c9728bf91c7fe2c1f935eec17c940ee5ecde4b08bc

MD5 hash:

45d24afeca45856e8abebd2c73457dd3

SHA1 hash:

f9708f7385e06e1a128bd11ccd3fc919f4077163

Link:

https://www.unpac.me/results/6b76a240-50ea-43f2-ae24-f443319f6647/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.76

Link:

https://yomi.yoroi.company/submissions/8e401cc1c138603fe09da9c9728bf91c7fe2c1f935eec17c940ee5ecde4b08bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/70218/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample