MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f28ae124f2cec646121282ad88482092234cfb012912095bbcd5569d2f55565. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f28ae124f2cec646121282ad88482092234cfb012912095bbcd5569d2f55565
SHA3-384 hash: 2ee73a8c1e5c9351dc8a53165952482afcedbb93f472f863c300bf2dafcefb2fb6313e61e289e175d9eb4a9772fb159b
SHA1 hash: ed6ad429ebfffa80caa7fffec341db2d07574d91
MD5 hash: 13cfec996bd3e91c5e030945be617a68
humanhash: virginia-muppet-hotel-high
File name:13cfec996bd3e91c5e030945be617a68
Download: download sample
Signature AgentTesla
Create hunting rule
File size:509'952 bytes
First seen:2022-01-13 15:01:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1BC+RPpud7W+qqlFJBXAS1dABWaXys6aPKhh:1AMPsd1DJVxHAjr8
Threatray 14'354 similar samples on MalwareBazaar
TLSH T128B4012137E9475EE9BE47B90A75D15087F6FD292A05DA1C1CC231CE5BB37828B20E63
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13cfec996bd3e91c5e030945be617a68
Verdict:
Malicious activity
Analysis date:
2022-01-13 15:24:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ef04194-98cc-4d78-a9ee-7d579588630f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219058/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.31828.3746.28002.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61e03efff2e8ec86fef85b30/reports/81eb2823-83cd-405e-919c-4f802c8a6174/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e23709b1-2b8a-4058-a81e-18f322a2eaab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920204
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8f28ae124f2cec646121282ad88482092234cfb012912095bbcd5569d2f55565/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 04:35:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4uk4espftwgiyjbfavnrbecberdjt5qckisbfn3zvkwtuxvkvsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28fc5135ea1f14ea296184a3e518908ae77d88f100efa162bf30c046790197a3
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
45be52ba60dc2401394324f60b577b4919b19442577c34b2f7e89d88fdcd4f94
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
7bd68279cf4cc59ba39b3d6709bae5312c55b880562ad88b606516d415b2b8a4
AgentTesla
b032521341d2f76b1fe69ead761ce67c48fd4ebc7c4ecdb4e7d81dc8b9935e1e
AgentTesla
b86905276e81077e6f84b256d57ec516f3f458b427f5a015088e56a11f9553cd
AgentTesla
c7f4ad3987c2026cd2051b487f34e9f2a56249dc319ab066497be27e01a2ea6e
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
f7437bba4e59178441160b2b89e5aa94ee2afca4f07b7f1a47d5e93468de4742
AgentTesla
+ 14'344 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220113-sejnmabagr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5309dffc9dfe5a55db44db3e41a5455c08f5de3acd5fffbe08c79cdc5d243e79
MD5 hash:
fac08aecf1801bad50003177d5385661
SHA1 hash:
ec6358d0549e041f7b457b1271766c77ce7d9566
Link:
https://www.unpac.me/results/8e711eda-609a-495f-bd6f-222c0c4e0a3f/
SH256 hash:
6d6255e43f8c15ac35d75832b1b8ac911010720326488ca424eee3e0566817c6
MD5 hash:
6fbeffefb041ca0248c2873f8f170127
SHA1 hash:
dc99780c9888bd4855c7fb8c75e95921ecd6a96a
Link:
https://www.unpac.me/results/8e711eda-609a-495f-bd6f-222c0c4e0a3f/
SH256 hash:
b328782d470d4c70e49d10dd8c1d21ba36e182e4cffbf5a06c74c651175bf26a
MD5 hash:
5c13d309008206fc771d1a7891562b89
SHA1 hash:
d95c7d9c5b8f1884f9850200d7c963444a69753b
Link:
https://www.unpac.me/results/8e711eda-609a-495f-bd6f-222c0c4e0a3f/
SH256 hash:
8f28ae124f2cec646121282ad88482092234cfb012912095bbcd5569d2f55565
MD5 hash:
13cfec996bd3e91c5e030945be617a68
SHA1 hash:
ed6ad429ebfffa80caa7fffec341db2d07574d91
Link:
https://www.unpac.me/results/8e711eda-609a-495f-bd6f-222c0c4e0a3f/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8f28ae124f2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f28ae124f2cec646121282ad88482092234cfb012912095bbcd5569d2f55565

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8f28ae124f2cec646121282ad88482092234cfb012912095bbcd5569d2f55565

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1973984/
Cape
Cape
https://www.capesandbox.com/analysis/219058/

Comments


Avatar
zbet commented on 2022-01-13 15:01:15 UTC

url : hxxp://paxz.tk/hussanzx.exe