MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f56dac579673096203818fcc9fd96e120a82b697539e6da59558d57d8ba96cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f56dac579673096203818fcc9fd96e120a82b697539e6da59558d57d8ba96cb
SHA3-384 hash: 23e94057e38e372000ffb8476f8b11d2bb328fc202357edba40adb223e186063b17b1a700810fd9ba0ff888c26fccfe2
SHA1 hash: d5da4bc921e6ee1db1c29e06a34f0a2ee6896687
MD5 hash: 695b228395e2074144301178130f7438
humanhash: low-salami-robert-utah
File name:New paper work document attached.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:810'496 bytes
First seen:2021-01-04 17:45:18 UTC
Last seen:2021-01-04 19:56:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:sMmPWULnOwdk3L4z5VnhbHXizMOQlm7FhxSeyeY17BBuHK5Kc1eY:dSLLdEL4zHnhbybQlShx25BcyKcAY
Threatray 2'156 similar samples on MalwareBazaar
TLSH 7E05F19365886B53F43CD379641118801BF57A0DD396F5FDBEDB0BCA1462A028A37A3B
Reporter abuse_ch
Tags:AgentTesla exe FedEx


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: box.poexpress.org
Sending IP: 138.197.215.90
From: FedEx Express <me@poexpress.org>
Subject: New delivery on hold
Attachment: New paper work document attached.img (contains "New paper work document attached.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New paper work document attached.exe
Verdict:
Malicious activity
Analysis date:
2021-01-04 17:49:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d54dc059-e3db-4e61-b353-ce948e1ba4ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110421/
Detection(s):
SecuriteInfo.com.Artemis695B228395E2.29406.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573628
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f56dac579673096203818fcc9fd96e120a82b697539e6da59558d57d8ba96cb/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5lnvrlzm4yjmibydd6mt7mw4eqkqk3jou46nwszkwgvpwf2s3fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
067d3156f3d1e23a1eeffa5bd970dc11da156dff7ea06b21dc5059a6f4434ce1
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
b70d94fd7da398d1d9a9bb0824bfea4009c441a0852a004fbed4b44c43ee8948
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
fd521190e36009a7fafea228266b37eda5cbaec650769ecf2d227eb02f8ebae5
AgentTesla
+ 2'146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210104-145nsla236/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
Unpacked files
SH256 hash:
a229668dbb7f90f83aa5fbc8862f272cb4c06e87d4643f4f2f7836537ce3a414
MD5 hash:
2661061fa09e7b686b62e5206ec3ea6d
SHA1 hash:
2c70d153439ea9697e72498190fae2dd2edeac11
Link:
https://www.unpac.me/results/ab157fc0-c84f-4260-89ff-572299f44a32/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/ab157fc0-c84f-4260-89ff-572299f44a32/
SH256 hash:
ede8413bdd0ab3a09cbf26fd765d6ce54c026292874fafa29bedf1fbf3d2d645
MD5 hash:
63e03252fcf9af2722f228bf6bb2bfe5
SHA1 hash:
8cf5d0609ef5ec8587cec0c39709217a000285c8
Link:
https://www.unpac.me/results/ab157fc0-c84f-4260-89ff-572299f44a32/
SH256 hash:
04c750fc67bce9f2192953f111356ebc8600231bcdc179bd9335bef4f0a0f3cb
MD5 hash:
7dcf0c12c74a7f9776d9f4c9e3bfbed9
SHA1 hash:
ee356365dc957f494c91eda1b157643cf4ef5e6d
Link:
https://www.unpac.me/results/ab157fc0-c84f-4260-89ff-572299f44a32/
SH256 hash:
8f56dac579673096203818fcc9fd96e120a82b697539e6da59558d57d8ba96cb
MD5 hash:
695b228395e2074144301178130f7438
SHA1 hash:
d5da4bc921e6ee1db1c29e06a34f0a2ee6896687
Link:
https://www.unpac.me/results/ab157fc0-c84f-4260-89ff-572299f44a32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/8f56dac579673096203818fcc9fd96e120a82b697539e6da59558d57d8ba96cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 72cd7daaa052068baa47f5e1c9c28c4e3d5bc567bf8ca88ef0a657cb4095467a

AgentTesla

Executable exe 8f56dac579673096203818fcc9fd96e120a82b697539e6da59558d57d8ba96cb

(this sample)

  
Dropped by
MD5 b5f2957601de5c092c4ce1fb58e9366f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 72cd7daaa052068baa47f5e1c9c28c4e3d5bc567bf8ca88ef0a657cb4095467a
Cape
Cape
https://www.capesandbox.com/analysis/110421/

Comments