MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ed8950fa5b89ea544a3bdfe37667e2a4013022278318f321d6811bc9017108a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ed8950fa5b89ea544a3bdfe37667e2a4013022278318f321d6811bc9017108a
SHA3-384 hash: 610e7879c3c7caec97565f894c367cbf0a4c1d4c2d5886e756cd8ce87fdb803f8ca76078c9a2e859de88b9a2a51abdf7
SHA1 hash: 35dc8b1abd5ac6e79eb1dc42bb2b456ed62b816b
MD5 hash: bbcde254909c0968cc1e61f3ed5dd85b
humanhash: vegan-october-may-sierra
File name:Order No. P0004028 - order registration.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:756'736 bytes
First seen:2023-07-24 17:35:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:bDvJRBusy2y4HxCVJ9eIlPaYxCqplIWb/yk2rivrsNzLFbY+RUF:3Fuiy4Hegvq4c/ykNjALFbYK
Threatray 555 similar samples on MalwareBazaar
TLSH T1CBF4022537B9AF52E1B8BBF5D2A041190371A0552877D38C0EF230CA1E66FC5AB91BD7
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Order No. P0004028 - order registration.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 21:38:11 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/db2a9919-1e82-43b1-957f-948945f112b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/431653/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2192.27769.2120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
67%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64beb6823a9a868a3c515f4c/reports/ee7db348-3246-442b-8d61-e9131ffa7027/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8ed8950fa5b89ea544a3bdfe37667e2a4013022278318f321d6811bc9017108a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01a4ac90-6741-4b3e-b727-b0faae6fc226
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278560
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278560 Sample: Order_No._P0004028_-_order_... Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 5 other signatures 2->53 7 Order_No._P0004028_-_order_registration.exe 7 2->7         started        11 qmqqQeoVjgZTHi.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\qmqqQeoVjgZTHi.exe, PE32 7->31 dropped 33 C:\...\qmqqQeoVjgZTHi.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp28C3.tmp, XML 7->35 dropped 37 Order_No._P0004028...egistration.exe.log, ASCII 7->37 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 Order_No._P0004028_-_order_registration.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 qmqqQeoVjgZTHi.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 sconengr.com 138.201.250.101, 49705, 49708, 587 HETZNER-ASDE Germany 13->39 41 mail.sconengr.com 13->41 43 192.168.2.1 unknown unknown 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 mail.sconengr.com 21->45 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->67 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ed8950fa5b89ea544a3bdfe37667e2a4013022278318f321d6811bc9017108a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 11:52:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3mjkd5fxcpkkrfdxx7dozt6fjabgarcpayy6mq5nai3zeaxccfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21275ed11f8b1b1b08d98607acd7c5ae3e1ad733782f91daf53be5b84feb0bd5
AgentTesla
3643035d381e44f0facf01f5463aa05fee4315b2c72fea1a96ef28d0185f7369
AgentTesla
395c0eed15d4b5605921f94d489c4dad2edc8fdc816d278e3065d2baa8db3607
AgentTesla
5ce651ac4d414f62033562a147cd6e7e821c408f50240ac3cd7c14fe89aaa108
AgentTesla
6771834e7cdb8a8f7813d313e65281901a61493653beb7fd0aad365036ede94a
AgentTesla
7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
AgentTesla
7aceda8fea4cad8f6077aa809bcb427bc896e8f0639aa20fee3013eb077199be
AgentTesla
a04182cb18b9bba60134d31518fef14b138c40a631bd09c098a7cdd875f7daa2
AgentTesla
ad4b6d94d4628ea0901d0cc2471779dc6605f149385011051f7eff095874e8bd
AgentTesla
d975b68c91c59dddb7b6777f6f2f78300ddd9be5c51f483994ea26106839a017
AgentTesla
+ 545 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230724-v6j5ksgf3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/60efb339-5d96-4d08-8b0d-8e5941e2cb9d/
SH256 hash:
1c856af88bd839ee24742f6f1ebf82699b233dfbaa1152c55e858e9e0112074f
MD5 hash:
56074de639818a81c18a31233161a72b
SHA1 hash:
cd535cf073bb73c43cfc460cac0c5a08db2c74da
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/60efb339-5d96-4d08-8b0d-8e5941e2cb9d/
Parent samples :
49d9f493a484d19fd8daa4dc979eadc8f04c41de54dff21fab6959c106bf54bf
bb89170bee6cc45c068be0dbc7cd40078abb554065094f6bafd91575c7b2023c
fd80a61471b89fd67b5c966308c329fde1c6e70b0c229ac77d3407ca612090da
3643035d381e44f0facf01f5463aa05fee4315b2c72fea1a96ef28d0185f7369
8ed8950fa5b89ea544a3bdfe37667e2a4013022278318f321d6811bc9017108a
abf3c41c95e2ab8b9336893ae549cae343b29da3b70af5d071fd33af09338a74
SH256 hash:
f6cbeb2b856aa9ff67bfd876a63b2e4ea49723500df6c9197879e8b63e8d57a8
MD5 hash:
c35749ecfd9eea5c1e14e3ed0331996d
SHA1 hash:
6efe1a7084a86324a4dce9cab86420519c6f80dd
Link:
https://www.unpac.me/results/60efb339-5d96-4d08-8b0d-8e5941e2cb9d/
SH256 hash:
e6f6d4537b5a06dcaa639efb0f59ad138130ef4c513244de3546a5738c0ebed3
MD5 hash:
04c1c72fcdab1c3639a9bedb97400004
SHA1 hash:
0e02ae80df4243f81292cbfbed7037f171aaf544
Link:
https://www.unpac.me/results/60efb339-5d96-4d08-8b0d-8e5941e2cb9d/
SH256 hash:
8ed8950fa5b89ea544a3bdfe37667e2a4013022278318f321d6811bc9017108a
MD5 hash:
bbcde254909c0968cc1e61f3ed5dd85b
SHA1 hash:
35dc8b1abd5ac6e79eb1dc42bb2b456ed62b816b
Link:
https://www.unpac.me/results/60efb339-5d96-4d08-8b0d-8e5941e2cb9d/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ed8950fa5b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ed8950fa5b89ea544a3bdfe37667e2a4013022278318f321d6811bc9017108a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/431653/

Comments