MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95
SHA3-384 hash: 6c631babe438a64cd6863c6430dd2ff098e94c5b227a56dfa623b512d9e4c90a57e03b585afc077909d78cd121a953e4
SHA1 hash: 58be0f5224bd5340fe86151595f9e4ac7d9f4703
MD5 hash: 3a0771cc2302ea82d321bb8c81338d31
humanhash: wolfram-magazine-ten-stairway
File name:SOA DEC.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:836'096 bytes
First seen:2023-01-19 22:17:28 UTC
Last seen:2023-01-19 23:29:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bxI1bUheVvzdIZc10EUNUqt3czMOPZAAW8bckrfVbtu+s4X5/07H2Rz9:sbUhgeZwmtMzMOPZAP8xfum5YWv
Threatray 6'239 similar samples on MalwareBazaar
TLSH T1A3055A3A04B81AD2C1BEF27E6B98DD14FEE09442F7018D5EDDE60886D91368322DBD5D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ecd2a8d6d698c4e0 (2 x AgentTesla)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA DEC.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 22:18:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cfdace6b-6ac8-4783-95aa-eb1392f651bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354761/
Detection(s):
SecuriteInfo.com.Variant.Barys.315692.15892.27184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys floxif packed virus
Link:
https://www.filescan.io/uploads/63c9c19a447edb203affd891/reports/7685bbcb-2a5b-4fca-9f76-cdef202b1fca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f698304-f4d1-45d0-a472-f51c8d850aff
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155153
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787885 Sample: SOA DEC.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 10 other signatures 2->56 7 SOA DEC.exe 6 2->7         started        11 hyRREAYRzfFu.exe 5 2->11         started        13 yGbzOMp.exe 2 2->13         started        15 yGbzOMp.exe 1 2->15         started        process3 file4 42 C:\Users\user\AppData\...\hyRREAYRzfFu.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpC2B5.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\SOA DEC.exe.log, ASCII 7->46 dropped 70 Writes to foreign memory regions 7->70 72 Injects a PE file into a foreign processes 7->72 17 RegSvcs.exe 2 4 7->17         started        22 schtasks.exe 1 7->22         started        74 Antivirus detection for dropped file 11->74 76 Multi AV Scanner detection for dropped file 11->76 78 Machine Learning detection for dropped file 11->78 24 RegSvcs.exe 3 11->24         started        26 schtasks.exe 1 11->26         started        28 RegSvcs.exe 11->28         started        30 RegSvcs.exe 11->30         started        32 conhost.exe 13->32         started        34 conhost.exe 15->34         started        signatures5 process6 dnsIp7 48 webmail.ospco.co 185.129.169.44, 49702, 49703, 587 PERSIANTOOLSIR Iran (ISLAMIC Republic Of) 17->48 40 C:\Users\user\AppData\Roaming\...\yGbzOMp.exe, PE32 17->40 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->60 62 Tries to steal Mail credentials (via file / registry access) 17->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->64 36 conhost.exe 22->36         started        66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->68 38 conhost.exe 26->38         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 16:04:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5prb2gguslsiqf52nqtcyoeusfz47poufnm62er2lpgeumupskq._file
Verdict:
malicious
Similar samples:
0ba769f784583af015d366c78b4c2ab090eb66fecd22a0d0783f48c2df61f562
AgentTesla
5a64665bdc77f9386891c1a251064decfdce7e9782bb4b47d95e2c14238d46f2
AgentTesla
6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f
AgentTesla
6e90c85fbcfa669738f0d090ebe3f5dceb5b4796cd523c3f51cc956af3a20cdf
AgentTesla
a8904248c21089344f42647030b9554b2e08b17ecd0d5aa192fc759789e74176
AgentTesla
ab07e5b2a5ec274e9684b2e86706cc0af428a30e9cd478a274ce21c78022dfc5
AgentTesla
ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb
AgentTesla
ce5c147f75c354710869fde43cdc99afb90de8f43d5a0a58cd7456ade759b110
AgentTesla
de7da8b54474a61449ac0c8a9feebc5708d73e8cf14bd2b74125d20cdf67bb84
AgentTesla
+ 6'229 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230119-17xpyshf22/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
e9d87e82d57905ff76b1352a2784118243be52dff5cbad3e38a5f13a05de4bfb
MD5 hash:
50bfbba8dab2235bcca07a4dc474f47e
SHA1 hash:
f277b27f3b62a24dcd916060ccf276be904cdb29
Link:
https://www.unpac.me/results/b5565093-1e9c-4748-b481-5e831d8c9349/
SH256 hash:
8a27de9cf8a5fa723ec1fffcf1994a6b81d5de695b336016ea4ec6333480a66b
MD5 hash:
8769c025c532befd89c426632a8ffcee
SHA1 hash:
dcca53a89628e53f0d62290141a578455cc6f9db
Link:
https://www.unpac.me/results/b5565093-1e9c-4748-b481-5e831d8c9349/
SH256 hash:
a65731bb8a76ea2d43e9f2e72aef8aabc214a0e964d0c6a2eee0ca1244a972c3
MD5 hash:
413ac4f635a8a10b1e4433e294eb0cf4
SHA1 hash:
3b8bf2b56e78fc2b9af7406847cfe93cbc69c4a4
Link:
https://www.unpac.me/results/b5565093-1e9c-4748-b481-5e831d8c9349/
SH256 hash:
8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95
MD5 hash:
3a0771cc2302ea82d321bb8c81338d31
SHA1 hash:
58be0f5224bd5340fe86151595f9e4ac7d9f4703
Link:
https://www.unpac.me/results/b5565093-1e9c-4748-b481-5e831d8c9349/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f5f10e8c6a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/354761/

Comments