MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261
SHA3-384 hash: 14953b7ed827590bcebaa3bdbc5c1115159a46fc85540c7ea7e57d7eb66c28a85b151c105a5834b3bde64305b2fa4de6
SHA1 hash: ccac37dcf889a25e9895408e67f5ddcc80412b72
MD5 hash: e1e7aae0c73232df9f1f3c45998bf6da
humanhash: hot-ink-alpha-johnny
File name:copy_106_10210_31doc.7z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:140'949 bytes
First seen:2024-04-13 10:53:03 UTC
Last seen:2024-04-15 06:14:30 UTC
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 3072:oODLHkZLPlaUnbJqFcbpgnlBuBjhYHMTp+d0YjkCKBVtLMN:lk9M/Fcbp3BiqpVY58tLMN
TLSH T106D312536DF32B7B846537562C5D81A25C07346BCFE5DB472C0E54842AA0DBEE36E09C
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:7z AgentTesla


Avatar
cocaman
Malicious email (T1566.001)
From: ""Mr.Saad Ayub Bhatti" <sales@smtp-rdp.top>" (likely spoofed)
Received: "from smtp-rdp.top (unknown [5.8.55.92]) "
Date: "Sun, 14 Apr 2024 15:25:38 +0300"
Subject: "04/13/24 (Requisite Completion)"
Attachment: "copy_106_10210_31doc.7z"

Intelligence

File Origin
# of uploads :
51
# of downloads :
93
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:copy_106_10210_31.exe
File size:394'616 bytes
SHA256 hash: 8b8d68a47897fc7f8612ad932aec65de7e5523d2ed7619dadb686f1c1adeab80
MD5 hash: 07fbac0c871b672676014316921417aa
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/661a644b0b46b3036934e8fc/reports/9b4fabdf-7093-4fe1-ace4-00d05f13c50f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261/
Threat name:
Win32.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2024-04-12 16:45:24 UTC
File Type:
Binary (Archive)
Extracted files:
19
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3w6gxvyocwoigbkuu3znvsjztzjgya3r4fgz53xysr2ikxwmjqq._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:xworm family:zgrat keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240413-tbmrjshf4x/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Detect Xworm Payload
Detect ZGRat V1
Xworm
ZGRat
Malware Config
C2 Extraction:
94.156.65.181:5353
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 8eede35eb870ace4182aa53796d649ccf293601b8f0a6cf777c4a3a42af66261

(this sample)

AgentTesla

Executable exe 8b8d68a47897fc7f8612ad932aec65de7e5523d2ed7619dadb686f1c1adeab80

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8b8d68a47897fc7f8612ad932aec65de7e5523d2ed7619dadb686f1c1adeab80
  
Dropping
AgentTesla
  
Dropping
MD5 07fbac0c871b672676014316921417aa

Comments