MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e8e7ded0eaedda43532fa04b96252d50fe3a6d668a21a4aff051abbb74ac085. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e8e7ded0eaedda43532fa04b96252d50fe3a6d668a21a4aff051abbb74ac085
SHA3-384 hash: cea790ddcca333ed3281f2795dcc680722fcca226873d60fc8c61c71d5ba6fd943c56b61a71477b48dd29d69ea02f9fd
SHA1 hash: db708f0f848895cbeb08f3a5f88b8cc6aaf6fe47
MD5 hash: 52414d9d7d48524e4b07965dfaa34566
humanhash: floor-orange-apart-twenty
File name:$17800.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:982'016 bytes
First seen:2021-01-06 07:42:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:t3G4u+pbXKIRRxfiZbhOK9T25im5Ppht5:t2h+p+yfsUn5P
Threatray 2'199 similar samples on MalwareBazaar
TLSH DA25BE522755AF25E07C077BA99C9905E3FAEC0A8322CD7F6CD630CE51A2FA19570933
Reporter abuse_ch
Tags:AgentTesla exe Rackspace


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp113.iad3a.emailsrvr.com
Sending IP: 173.203.187.113
From: info@alfaintech.com
Subject: Payment attached
Attachment: 17800.IMG (contains "$17800.exe")

AgentTesla SMTP exfil server:
mail.famasoluciones.com:587

AgentTesla SMTP exfil email address:
securi@famasoluciones.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
$17800.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:44:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/903549db-0849-4881-b4cb-e42cf1007944

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110693/
Result
Verdict:
Clean
Maliciousness:
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574880
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e8e7ded0eaedda43532fa04b96252d50fe3a6d668a21a4aff051abbb74ac085/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 07:43:05 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2hh33iov3o2injs7iclsyss2uh6hjwwncrbusx7aunlxn2kyccq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
113a77824329e62d8a2268075f4e8afa9756a9e134d46e87a61618d7b426b9af
AgentTesla
137786f20b01ea831020cafde76ca06e6bdb2304525692aa46a7b98207b6bd93
AgentTesla
567e0aa34b26e04924a723b478d32771494b759419e40f00b919167af194c039
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
a730154eedce8c175f18e82c1102e01a7ee94fd74cbee7df85b473233ea764e6
AgentTesla
c21731c38a19247edee143dded4219f87e4a9bf43d5aa7d4f70d212162223448
AgentTesla
c2b31bcc1986833d18247dcdd78c61d6b70158226f42f7951f1294bc2a370048
AgentTesla
cbf9d4ef21092210f58ad0cbdd4753dbbf785387dd8f3001014672679196c65c
AgentTesla
e28ed19326e3b7a86441b0e66f286e70fa1f9cf0131d5821e303d4ea6225fe06
AgentTesla
fd487c8892d4d57d7efa830b72648b2c5234ba09a0dfdced267bf5943a1861a5
AgentTesla
+ 2'189 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210106-4passxth72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Unpacked files
SH256 hash:
8e8e7ded0eaedda43532fa04b96252d50fe3a6d668a21a4aff051abbb74ac085
MD5 hash:
52414d9d7d48524e4b07965dfaa34566
SHA1 hash:
db708f0f848895cbeb08f3a5f88b8cc6aaf6fe47
Link:
https://www.unpac.me/results/4a7ba748-0051-4880-b0ac-07da081a1af5/
SH256 hash:
d6cf113b146243d2aee9c713398ebbb9b761d2a2d42ad8f84f2e6ac809a4ff63
MD5 hash:
a3ba87f3f0e84a354e861713cacc1e28
SHA1 hash:
90f3713e2868b90c20179edad1826bd791b7b2fb
Link:
https://www.unpac.me/results/4a7ba748-0051-4880-b0ac-07da081a1af5/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/4a7ba748-0051-4880-b0ac-07da081a1af5/
SH256 hash:
ef1e7caf4d1757497e8c5a594bff2e4edf2a59e94451ff8e5b2151cf7453cef5
MD5 hash:
50a8087e4608a59e2d7b720e6e67294d
SHA1 hash:
fc29414dcf1aaaed96d0369e04ea23a40a61293d
Link:
https://www.unpac.me/results/4a7ba748-0051-4880-b0ac-07da081a1af5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e8e7ded0eaedda43532fa04b96252d50fe3a6d668a21a4aff051abbb74ac085

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img c8d50d3ddf3ad065781f14fe06439ccfd9d47255fb9b87834a0cab64baf87dc1

AgentTesla

Executable exe 8e8e7ded0eaedda43532fa04b96252d50fe3a6d668a21a4aff051abbb74ac085

(this sample)

  
Dropped by
MD5 ee6926bbe50aadc5289b00193551b423
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110693/
  
Dropped by
SHA256 c8d50d3ddf3ad065781f14fe06439ccfd9d47255fb9b87834a0cab64baf87dc1

Comments