MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ee5b792f71a86bab6e1ac1d82669d474ac1b4f973f610b0074ee89bed67306e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ee5b792f71a86bab6e1ac1d82669d474ac1b4f973f610b0074ee89bed67306e
SHA3-384 hash: fc72c834ff69368972c0acd05f1eba8156ada16e336de3a38c3645e9785736b6d6f0f4e9e7b818c2fa68089c3ae9e9c0
SHA1 hash: 99c4b7b05a69e1e3e317d98aa779fb8a75716696
MD5 hash: 269f66c1e5d8514c759e356cbb366250
humanhash: november-table-twenty-video
File name:Bank transfer order_Invoice settlement 2021_1803 2021 11 16.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:439'296 bytes
First seen:2021-11-16 14:33:58 UTC
Last seen:2021-11-16 14:34:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Fm0NGfa1uEGHAzNMIU7ZED3TkPtzrHDL3:Fm0NGfW+HA26jk1/3
Threatray 12'762 similar samples on MalwareBazaar
TLSH T17B94E009BAEC4B07D46B6BF86BB6C5984372F1741337E3291E8064CB29E2B514B417B7
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206494/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6193c15c2695a62af9f156bb/reports/5c4b159e-288f-41a1-b70a-1b0a56e3d9f4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6fad5b6-c8a9-4bfa-80e2-87d1662a69a1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890450
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ee5b792f71a86bab6e1ac1d82669d474ac1b4f973f610b0074ee89bed67306e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 14:35:06 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3s3pexxdkdlvnxbvqoyezu5i5fmdnhzop3bbmahj3ujx3lhgbxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e28058d4307d4fca91cbd0a4d2d0a6f950fbfa6500a8fc433c5ccb315c80d77
AgentTesla
43ce04c6b8f460899f646dde2d89608c45c52982dc389182d70a4c86cd20ce4a
AgentTesla
65311e0d5afc8166606e9db1371b113b630cc15d4c28d8324273caa1540e211b
AgentTesla
877fbae1ee57fedd9ad5406e6ac3750f737dadc3ac6e2677f730b8e330fa6c95
AgentTesla
bbca8dbd55f6feaca533c226f8c0e2af7efed8ed37772bdb8a0ff4eb5008a0fb
AgentTesla
ce6f26feac8b78450380877161487e271e676a50cc93f8a7a2ecea65b5e41020
AgentTesla
dce5f044b1f4396f33c3574667169dcbdeb3aebb037c9f53d7a8c38e095f576d
AgentTesla
f6615944bcd14eb2cc0169ddcc82da15b04f9f20f7e4f646118550c9d6d49b90
AgentTesla
+ 12'752 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211116-rxe8gsbbfm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/d94b24ce-82d0-4917-a831-5086d95fe113/
SH256 hash:
dc2c5f7bcb1dc0087e3591f88530fa8a8d8c9874f536050cb716c3f48ebca421
MD5 hash:
72232c45e732849918155a85de149e91
SHA1 hash:
7864403ab93b945b580fab72d5720ee06aa2b18d
Link:
https://www.unpac.me/results/d94b24ce-82d0-4917-a831-5086d95fe113/
SH256 hash:
9b66c672d72cbf9472a67879e7c116168c6663512a6b9c59244f5fbeddeeece1
MD5 hash:
66950838b7e1e8509568e2437fec26d8
SHA1 hash:
196811abed71babdc206b585da93db8ece63ae40
Link:
https://www.unpac.me/results/d94b24ce-82d0-4917-a831-5086d95fe113/
SH256 hash:
8ee5b792f71a86bab6e1ac1d82669d474ac1b4f973f610b0074ee89bed67306e
MD5 hash:
269f66c1e5d8514c759e356cbb366250
SHA1 hash:
99c4b7b05a69e1e3e317d98aa779fb8a75716696
Link:
https://www.unpac.me/results/d94b24ce-82d0-4917-a831-5086d95fe113/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8ee5b792f71a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ee5b792f71a86bab6e1ac1d82669d474ac1b4f973f610b0074ee89bed67306e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8ee5b792f71a86bab6e1ac1d82669d474ac1b4f973f610b0074ee89bed67306e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/206494/

Comments