MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f413aa06fb8fbef72fbdc7d4a8966f77988665ef828733d4f4b19a1d83ce754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	8f413aa06fb8fbef72fbdc7d4a8966f77988665ef828733d4f4b19a1d83ce754
SHA3-384 hash:	8aed3aea43b9c418b859785a71eb938589caef94638c9ff0b9e1653a57a835dc8cee7a00c948c28ea8b0ebb8a313b018
SHA1 hash:	eb7043dc61e16c5c8165c1563e6c8c9267761763
MD5 hash:	53979ff1c2f7a5d6a37e2b99d1ddc1b3
humanhash:	nebraska-lion-grey-venus
File name:	pago_080402020184767.gz.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	887'296 bytes
First seen:	2021-05-26 05:41:13 UTC
Last seen:	2021-05-26 20:15:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:x0IIK2eESCw+bktccxj/LJwtEf2Kq+FnjYz4ZrtKS5IKUaE+:xnIVsmocizJwqf7lFnjYqtBI/
Threatray	5'689 similar samples on MalwareBazaar
TLSH	861506E27118FB7BCC0416F26C9734E7CAB32C1B901DC7AD24E6A5D52C985A68C3F265
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

pago_080402020184767.gz.exe

Verdict:

Suspicious activity

Analysis date:

2021-05-26 05:49:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c3b7e27e-63f9-422b-bf76-ddd6af37b4e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/162207/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.647-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/792241

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8f413aa06fb8fbef72fbdc7d4a8966f77988665ef828733d4f4b19a1d83ce754/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-26 05:16:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 47 (51.06%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r5atvidpxd5664x33r6uvclg654yqzs67auhgpkpjmm2dwb445ka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

08ed81d42bb6470598b1af70ce90b5147d1f029b12980fe3042dee478f29e28e

AgentTesla

163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644

AgentTesla

1d4b81ebf8bf53797d2a87ed7571f787263079e797885e7dc905fa5b3e50079f

AgentTesla

30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e

AgentTesla

397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea

AgentTesla

524306af2db603c7db95227603c3014b67c27cfb2f88d12de2a599ece24575e2

AgentTesla

56e676fae09b69a9eae221e0590776815f7fa38e7cc90822cd3060ea289d7547

AgentTesla

5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b

AgentTesla

96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c

AgentTesla

+ 5'679 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210526-tngysq7vd2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f413aa06fb8fbef72fbdc7d4a8966f77988665ef828733d4f4b19a1d83ce754

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.