MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f33a276306fd0b9596bd5c6675551928b661dfd970db9d96a105ce144717b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f33a276306fd0b9596bd5c6675551928b661dfd970db9d96a105ce144717b71
SHA3-384 hash: 03647a377b0cba08a89954655fa2e0744a33a7f9b402288ce6b6f312eb126726a2ff72180873f80cb3c2f8ced6f7a406
SHA1 hash: 68d62e93d0f2927a766ba6d6da6b83e05e1ec07d
MD5 hash: 0b381fde9a6d83204715d5a429ed0e86
humanhash: hot-spaghetti-winter-wisconsin
File name:SecuriteInfo.com.Win32.TrojanX-gen.11530.1442
Download: download sample
Signature AgentTesla
Create hunting rule
File size:325'632 bytes
First seen:2023-09-08 02:29:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:sScsigBfjS0uPhO8PIcXtOv5XD+kb+0QnqWYdeJf5BU9wjsiBcPvI/J:szgBf8PhO8wcdOxKkb2qOJf5BU9biBcC
Threatray 5'592 similar samples on MalwareBazaar
TLSH T17B64235563BDF830E9690472E3B693CCCA2D457A9E72DC0D4C61B24B5E15EF0CA48BE4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.TrojanX-gen.11530.1442
Verdict:
Malicious activity
Analysis date:
2023-09-08 02:29:36 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/ca1866a2-37fd-4356-b005-9c16258b9f9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447315/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64fa872befe2af27e9c5c938/reports/7707b776-053c-4665-b330-7239d1c0af5c/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/8f33a276306fd0b9596bd5c6675551928b661dfd970db9d96a105ce144717b71
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47b41aab-ad01-4c79-9355-1ed973831d3a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305894
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1305894 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 08/09/2023 Architecture: WINDOWS Score: 100 44 wecaresvc.com 2->44 46 mail.wecaresvc.com 2->46 48 2 other IPs or domains 2->48 50 Found malware configuration 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 7 SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exe 1 5 2->7         started        11 Qxmrwmb.exe 5 2->11         started        13 Qxmrwmb.exe 4 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\Qxmrwmb.exe, PE32 7->38 dropped 70 Creates multiple autostart registry keys 7->70 72 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->72 74 Writes to foreign memory regions 7->74 17 aspnet_compiler.exe 17 4 7->17         started        76 Antivirus detection for dropped file 11->76 78 Multi AV Scanner detection for dropped file 11->78 80 Machine Learning detection for dropped file 11->80 22 aspnet_compiler.exe 3 11->22         started        24 aspnet_compiler.exe 11->24         started        26 aspnet_compiler.exe 11->26         started        28 aspnet_compiler.exe 11->28         started        82 Allocates memory in foreign processes 13->82 84 Injects a PE file into a foreign processes 13->84 30 aspnet_compiler.exe 13->30         started        32 conhost.exe 15->32         started        34 conhost.exe 15->34         started        signatures6 process7 dnsIp8 40 wecaresvc.com 103.138.106.17, 49764, 49767, 49778 ABOVE-AS-APAboveNetCommunicationsTaiwanTW Taiwan; Republic of China (ROC) 17->40 42 api4.ipify.org 64.185.227.156, 443, 49763, 49765 WEBNXUS United States 17->42 36 C:\Users\user\AppData\Roaming\...\My App.exe, PE32 17->36 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->60 62 Tries to steal Mail credentials (via file / registry access) 17->62 64 Creates multiple autostart registry keys 17->64 66 Tries to harvest and steal browser information (history, passwords, etc) 30->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->68 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8f33a276306fd0b9596bd5c6675551928b661dfd970db9d96a105ce144717b71/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-09-08 00:42:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4z2e5rqn7ilswll2xdgovkrskfwmhp5s4g3twlkcboocrdrpnyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
357bf981d0f184aaffdb927ac78f1032874237e9d57d6992841d1c0a348104dd
AgentTesla
44e7563cc23e81b456765229dd4343d8cf898e346eb0e6ee691b77b9a582d15a
AgentTesla
580e9a403ba5923d9efd54ef7f708e0adea2615936cfad7caa1ef38524d50559
AgentTesla
83e202c299d139b909d80f39e81487515d2f21a9a0b6546f42dbd194088e07e7
AgentTesla
8be1494cfcd5e3b5d6f1928b7a25c682317e294ff937f93bdff12d37944dffe8
AgentTesla
be9814408f080bad72bb81c70d752b3fb1da0bb3b03382a8161a967accc1bb4d
AgentTesla
c14cf2077de0f4e6ed3e925c72350a570006f62fcb7d63cbd2c1063afb5a0c26
AgentTesla
d62ab80a981120bc862738658cae6128082845908836dd11bbdd8c9e7995b17a
AgentTesla
db604e87813d78254ad31ff37943e58df66714b5b9df25590b4055730c0a65fc
AgentTesla
f5f29e2401ff3309c8c73fbb601845f92349017aff38822b467556796b2c9553
AgentTesla
+ 5'582 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230908-cy5r7sga74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
b32daba92be8c7e76e28559a0638be5dc32ef3082f958f8e97a0fc5dd9344d03
MD5 hash:
aff0e8d53608832070482996025dbdf2
SHA1 hash:
ec1c898eed5ab8551763c2644478665815176ae8
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/3dd87b5e-30d5-416d-9c22-2df292f558eb/
Parent samples :
8f33a276306fd0b9596bd5c6675551928b661dfd970db9d96a105ce144717b71
6d1a4d7efb7a1e955a3206b26af22bf5e85d600db7d8541598e0c40d60747b6d
e75bb7380b7386458dfd803bfeab63228ff0e3d27121db683675458f2affbe10
b110273433c1a17c21badd8b03f2c45c3f4d5ce56d73fd9b731cb1540f7fc680
3aa409bc939bc8f42a7cd90af7fbd01c3e3c0b943a2988224b439df18ec3d3b5
f679e4d7e9309d91bda6ee6f61d792c784c7e3367184775c1bfdc5010f6d7a15
003569fddd9c4c72cfd68b3188ffc2700138a90212a85aedbf040e1f68f9acdd
SH256 hash:
f22cdc9b4934137ff64e33986534cf383c95230435fcff73775dec4f715e7ed5
MD5 hash:
a9ce916629d80e53ab2fc69fad3cb415
SHA1 hash:
77b1058cde945683156e078fc602e45f9aeb185d
Link:
https://www.unpac.me/results/3dd87b5e-30d5-416d-9c22-2df292f558eb/
SH256 hash:
eaae818680739ae9f63c4f1db224f938b1f0ea9f215a4ac7a4a53f40125d9d5e
MD5 hash:
1eb5fe2edad4f4d57300268193cf8f98
SHA1 hash:
1d8bf27cab408d2298bdd046cf15342ee0c44919
Link:
https://www.unpac.me/results/3dd87b5e-30d5-416d-9c22-2df292f558eb/
SH256 hash:
bacd137ba4fcf9829456c1cc80ffb2478b7488f2c1e36ec918bf1aace384b64b
MD5 hash:
96c79693d87179dac08a9d7af60024a4
SHA1 hash:
0cf148455aad8a5c2ea31ec939ce0ee48b556703
Link:
https://www.unpac.me/results/3dd87b5e-30d5-416d-9c22-2df292f558eb/
SH256 hash:
8f33a276306fd0b9596bd5c6675551928b661dfd970db9d96a105ce144717b71
MD5 hash:
0b381fde9a6d83204715d5a429ed0e86
SHA1 hash:
68d62e93d0f2927a766ba6d6da6b83e05e1ec07d
Link:
https://www.unpac.me/results/3dd87b5e-30d5-416d-9c22-2df292f558eb/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f33a276306f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/8f33a276306fd0b9596bd5c6675551928b661dfd970db9d96a105ce144717b71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447315/

Comments