MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f5c6b77e087af2abe417b53fc62f3cbe7a2e1250e053b93401fa8026aa7f0af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f5c6b77e087af2abe417b53fc62f3cbe7a2e1250e053b93401fa8026aa7f0af
SHA3-384 hash: 81e451ca47f932aeb1478c948f0a4f4ba7a0ee329d271c05aa51dcda76a58a39e0eac1da5292c580cb3a271a42016526
SHA1 hash: 81c9634f33fbaf5f2005042f91c94404c1de7634
MD5 hash: c760bd91023612230944f1ab34a65294
humanhash: crazy-kilo-carpet-island
File name:c760bd91023612230944f1ab34a65294
Download: download sample
Signature AgentTesla
Create hunting rule
File size:793'600 bytes
First seen:2021-09-21 08:25:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:Q9ETqmKQluNmtiS3/NpZZaUZ9wC0uBknu9F6YPDTWhJBw1U6I+7BHga2FWSEPokA:1hKQlsmtiK5oUZEuAfy1F3sHZHNoGQK
Threatray 10'700 similar samples on MalwareBazaar
TLSH T154F49DD17D47D89BF4DF2AB398AFC0201164AD8D9165C73D26967A2B54F330230ABE4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c760bd91023612230944f1ab34a65294
Verdict:
Malicious activity
Analysis date:
2021-09-21 08:28:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef4e7461-95b9-4924-8319-b9ce0838c0c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189701/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22f6d9f3-3b58-4670-baf2-d43fc8d70743
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855043
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487480 Sample: Wvor35UqdM Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 4 other signatures 2->33 7 Wvor35UqdM.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\KSQBsuj.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp5910.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\Wvor35UqdM.exe.log, ASCII 7->23 dropped 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->37 39 Uses schtasks.exe or at.exe to add and modify task schedules 7->39 41 Injects a PE file into a foreign processes 7->41 11 Wvor35UqdM.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 mail.privateemail.com 198.54.122.60, 49806, 587 NAMECHEAP-NETUS United States 11->25 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8f5c6b77e087af2abe417b53fc62f3cbe7a2e1250e053b93401fa8026aa7f0af/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 08:26:08 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5ogw57aq6xsvpsbpnj7yyxtzpt2fyjfbyctxe2ad6uae2vh6cxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0663ffc968c7a2870e7c3234b4c2c2c5bae705a12a1f84ff4527af8d8b9466e5
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
9664d7052873349992d586788296c16579941a802a41b70afdc08867b2153d65
AgentTesla
aeea83ba49eeed249340ee917db29ccaf58cb9d9ab6a2c1226408d0d7118fb28
AgentTesla
c57c8d4d2e724683791c90f26d4499886ab0498688740b5433e1c4a36680564e
AgentTesla
d7550aca865eea83340a162a23a30ee5475147eb99a86fe08c3ac404ddda8400
AgentTesla
+ 10'690 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210921-kbvmqabeam/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9718461c34f76759f308984c0dd54a597fd48532b8c4089c032dbf5951837922
MD5 hash:
edebae89d9b184f546e6d978b474d607
SHA1 hash:
dd7c6b4907c8237a1c6b1a7664baccbe0b80ac4b
Link:
https://www.unpac.me/results/8a15165b-fa91-4840-bcc5-52fa3ddcfefe/
SH256 hash:
d6be3e524bbbea5f315ae3638c67386473e71b525da376d08a7956afb5f20828
MD5 hash:
06451536192d0883d168c8aa704591b9
SHA1 hash:
d52b9ac45753cf2364c747d787e3c86fd64375eb
Link:
https://www.unpac.me/results/8a15165b-fa91-4840-bcc5-52fa3ddcfefe/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/8a15165b-fa91-4840-bcc5-52fa3ddcfefe/
SH256 hash:
7d510abf6146a1ac16eb59831df3998dad7bbea262faf8364de43f5b8ad52b6d
MD5 hash:
fc577fd55738359d0d2288caa63cb8ea
SHA1 hash:
11b40156652c7223d945b1f72a3928c9cd31217b
Link:
https://www.unpac.me/results/8a15165b-fa91-4840-bcc5-52fa3ddcfefe/
SH256 hash:
8f5c6b77e087af2abe417b53fc62f3cbe7a2e1250e053b93401fa8026aa7f0af
MD5 hash:
c760bd91023612230944f1ab34a65294
SHA1 hash:
81c9634f33fbaf5f2005042f91c94404c1de7634
Link:
https://www.unpac.me/results/8a15165b-fa91-4840-bcc5-52fa3ddcfefe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f5c6b77e087af2abe417b53fc62f3cbe7a2e1250e053b93401fa8026aa7f0af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8f5c6b77e087af2abe417b53fc62f3cbe7a2e1250e053b93401fa8026aa7f0af

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1637949/
Cape
Cape
https://www.capesandbox.com/analysis/189701/

Comments


Avatar
zbet commented on 2021-09-21 08:25:21 UTC

url : hxxp://anystonegenesh.com/ghetto/sa/DRO8qNcgdIfZDUR.exe