MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f16209dc8df60e5da3953ae44825ff8737634f2a547bbc5d656b044064f6f2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	8f16209dc8df60e5da3953ae44825ff8737634f2a547bbc5d656b044064f6f2f
SHA3-384 hash:	6567863477f8ea87857bd31ca9de1abb2a85342fb23ed19a5ccc8cb46b6515b38f25edd42c9d46cc04e02b076747c957
SHA1 hash:	a8fba9621a0bf6f5c8e3c0056d4ca8a03c848347
MD5 hash:	14c3147355a9e5495a9e4238dbe199fb
humanhash:	queen-magazine-hotel-louisiana
File name:	SecuriteInfo.com.Trojan.Siggen19.4024.597.25846
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	847'872 bytes
First seen:	2022-11-07 19:19:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:9z757J3IfsHCs5PG2H7E5Cwrp2O1iKkca3zL//0NVd8Z7fDF5VS:F75dksHjEyI5dl1iKoz7uV6Zf5S
Threatray	23'039 similar samples on MalwareBazaar
TLSH	T1AF05C0F8084032F4EBAECF32956D2F6447A31D615382FA4F1494B1B61A337E39665D2B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.Siggen19.4024.597.25846

Verdict:

Malicious activity

Analysis date:

2022-11-07 19:22:20 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/9b944849-6880-452d-a901-437cbef411ee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330180/

Detection(s):

SecuriteInfo.com.Trojan.Siggen19.4024.597.25846.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63695a631b78baadf87f8ffa/reports/ad7f2956-1de1-4142-a51f-6645d9513427/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/73047814-d621-4e38-915b-f9885cf50938

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1107606

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f16209dc8df60e5da3953ae44825ff8737634f2a547bbc5d656b044064f6f2f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-07 19:20:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r4lcbhoi35qolwrzkoxejas77bzxmnhsuvd3xrowk2yeibspn4xq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

194b21139e3a9a343c63617ad33ee48abdfa1566a4302a04b65df43888395400

AgentTesla

1969ef2785557b7ef71514305c4ac60f913089b3db51e49b896d26a9bc7bc3f8

AgentTesla

21d72617c656bdc572048e2ac789da3e729ad92547542bc68a571dfa6b0b93f0

AgentTesla

64b497c548522493d43bceed2cc41630f90f044eee97c973aadf9a230d4ec500

AgentTesla

982b6350bb158c2e96fadc0cb7a07395aa4131721117b5d884004b05dad79f1b

AgentTesla

be06f8a3ed040aadf2598bc5a9b4c886c271ad7866505dba11b723dba968f518

AgentTesla

e618572ad0aa690e95be68f3d4c4ada7d0849685e8535307be1b68e886600b7b

AgentTesla

+ 23'029 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221107-x13qvagahr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/26639018-ce43-40a9-8b3f-5251d9fcfeb1

Unpacked files

SH256 hash:

2af082e8de3cf61fcce2fde4d691d5f9f86b41af8a5a4323af864dc0fd18a534

MD5 hash:

4c51acac95d525a2ff10f0fcbb11ebe4

SHA1 hash:

9cb586ebc348eedfc7a6c2062943bd6b2b70705d

Link:

https://www.unpac.me/results/a707f269-4082-43a0-bd09-d1f97e1589d4/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/a707f269-4082-43a0-bd09-d1f97e1589d4/

SH256 hash:

92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90

MD5 hash:

046e97119545e5abde2f40b5dc3a0344

SHA1 hash:

3e69b67ddff2554c8cd72e129d4da9c8acd9d331

Link:

https://www.unpac.me/results/a707f269-4082-43a0-bd09-d1f97e1589d4/

SH256 hash:

0ef571d11d67716ce693ed60b8460483a5c48db3a0b2c802e60c90439b1f2568

MD5 hash:

7cafa28a886590115567e3b8d02c15e9

SHA1 hash:

4f157d342d10677492399fd5ce669c0ce05d1704

Link:

https://www.unpac.me/results/a707f269-4082-43a0-bd09-d1f97e1589d4/

SH256 hash:

8f16209dc8df60e5da3953ae44825ff8737634f2a547bbc5d656b044064f6f2f

MD5 hash:

14c3147355a9e5495a9e4238dbe199fb

SHA1 hash:

a8fba9621a0bf6f5c8e3c0056d4ca8a03c848347

Link:

https://www.unpac.me/results/a707f269-4082-43a0-bd09-d1f97e1589d4/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8f16209dc8df/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/8f16209dc8df60e5da3953ae44825ff8737634f2a547bbc5d656b044064f6f2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/330180/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample