MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f47662859b3b38c6d1eb1795d75def0063d8df82e06e303d3dac879e06d5e79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f47662859b3b38c6d1eb1795d75def0063d8df82e06e303d3dac879e06d5e79
SHA3-384 hash: 028c029062ba7ece51ec79a7594dc99e4d336f42e9875fe3f78ecbb90a423f2aa9ed52d6ae551a66a10de8649f4f8296
SHA1 hash: d205597b76523621aa555336d8bf0a7d34d95520
MD5 hash: 1d9b36b45481f5d3494e79babedcc977
humanhash: georgia-rugby-massachusetts-batman
File name:admin.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'293'312 bytes
First seen:2021-07-28 13:07:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:KYE6Cm9APOsBgo0q4wMr7T5+unT5B2wJaehm:KbmoHMr7TAunTzJae
Threatray 7'499 similar samples on MalwareBazaar
TLSH T156557C747BFD2A0AF0BB577E5074C1B24974B466EA12C32D792272CA0B32359C25D72B
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
admin.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 13:28:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61946d35-2f7b-4579-bb43-96beb5bfd2c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174650/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87ebd2b5-1578-4d57-871f-80013a0e5f30
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/823072
Signature
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 11:09:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f6af6375055f4d2caa277a6cd81dd329c707d28ba14f867ee7af5b426e4e7d2
AgentTesla
129b0eec0aa5c415ff6ad11445c5fca395785ea83127aba7061022fd7519f648
AgentTesla
194002e9089c0c5335d793900f1678dd44fc771932c7a9fcc7aa87c36e008685
AgentTesla
2aa2a644cc059d9314a783e295e4c35102ffce374e2bf1b49f8fb8631ffdbb65
AgentTesla
56d24e5d0336a8aefcaab14ba38932966d7f69c46ea874ab8d7565ea6de94a7d
AgentTesla
61ee3545921c4ddf2a41826b2425dc43b4902353a01798f5516e9afdf4a10d63
AgentTesla
63adb2924e560b5372169c820684773bba83fe0ab3e0b51ecf3192b0cda9d774
AgentTesla
7beacc03c7e9d87b052a52f5b7dd889b581eae833a3d2bfb6cb29a2c68944727
AgentTesla
aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240
AgentTesla
f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8
AgentTesla
+ 7'489 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210728-wav4944gx2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
2f4690c8b05c5bb0269c8c6665269fa5da0ba80ae035a48a9744705fe6e27a5f
MD5 hash:
fab5a668479d8e69ee6457cd66be82e9
SHA1 hash:
970ed75fa4cc9faee672826882b03773b45a3fc1
Link:
https://www.unpac.me/results/20221301-b90e-4e47-8461-9484683e6f29/
SH256 hash:
1584a127beb58b3dfcbb86073d0e5b3bd88922117522ab1e59b7c8c19df09a90
MD5 hash:
664965981e9281bfa68473e470101b42
SHA1 hash:
7a0f4594a457304eb20db4ffa42489a6d9e58dd7
Link:
https://www.unpac.me/results/20221301-b90e-4e47-8461-9484683e6f29/
SH256 hash:
f95b3e3f873a507dffd27f1b11627ea077eef0c1b3f80c204604b2bb4cc04691
MD5 hash:
654e87d0984a221f3dbfe9bc4e26cecd
SHA1 hash:
5fa5c4d26e0b49d41ddc90a7e61feec6980ede7b
Link:
https://www.unpac.me/results/20221301-b90e-4e47-8461-9484683e6f29/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/20221301-b90e-4e47-8461-9484683e6f29/
SH256 hash:
8f47662859b3b38c6d1eb1795d75def0063d8df82e06e303d3dac879e06d5e79
MD5 hash:
1d9b36b45481f5d3494e79babedcc977
SHA1 hash:
d205597b76523621aa555336d8bf0a7d34d95520
Link:
https://www.unpac.me/results/20221301-b90e-4e47-8461-9484683e6f29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/8f47662859b3b38c6d1eb1795d75def0063d8df82e06e303d3dac879e06d5e79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/174650/
  
URLhaus
https://urlhaus.abuse.ch/url/1487405/

Comments