MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f6b86d0306f28cb8428439924d19c732db483fcbcb15b2a27345ca6fa0f9f30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f6b86d0306f28cb8428439924d19c732db483fcbcb15b2a27345ca6fa0f9f30
SHA3-384 hash: b66d404b3780e91dbf9ae22a18d3c91c0f555316a1da0ec4a9b51e8830bfad73ff4725a7f7d360cca28fad2b516bd79d
SHA1 hash: 0c4bfccb137ad9de4c95ab9cdd1b59ac162b64a7
MD5 hash: e86c5b39ed8c59bfb4f4d2fc4f07c838
humanhash: autumn-juliet-nevada-princess
File name:e86c5b39ed8c59bfb4f4d2fc4f07c838.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'888 bytes
First seen:2023-04-06 15:14:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:1KEGQNeZTgX5sTsq+pvR+at7Z+wR5Q3cbtKpiee1gMSLaIHP02bxb804aemnar58:1KEGQEZT+3HtRNt7zRu3OtKoeeGP02br
Threatray 51 similar samples on MalwareBazaar
TLSH T1C8E49D521A634BD6D6B90D6007787A884678AF92D710633E7C83BD3F8CFBA4B50953D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order - 7513.doc
Verdict:
Malicious activity
Analysis date:
2023-04-06 10:26:35 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/cbf97996-aece-445c-a0c2-9d60522e20d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380675/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/642ee1f9bf68c1790aface72/reports/c1565bf0-e4be-42f5-b543-ecd8d6090721/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8f6b86d0306f28cb8428439924d19c732db483fcbcb15b2a27345ca6fa0f9f30
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/384d5d2a-4b66-4c1c-b582-66b66d66a9dd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209790
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 842708 Sample: YsyXBv46bg.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 28 mail.albins.com.pe 2->28 30 albins.com.pe 2->30 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected AgentTesla 2->46 48 .NET source code contains potential unpacker 2->48 50 Machine Learning detection for sample 2->50 7 YsyXBv46bg.exe 3 2->7         started        11 Appelix.exe 2 2->11         started        13 Appelix.exe 2 2->13         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\YsyXBv46bg.exe.log, ASCII 7->26 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->54 56 Injects a PE file into a foreign processes 7->56 15 YsyXBv46bg.exe 2 5 7->15         started        20 YsyXBv46bg.exe 7->20         started        58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 signatures6 process7 dnsIp8 32 albins.com.pe 162.214.66.203, 49700, 587 UNIFIEDLAYER-AS-1US United States 15->32 34 mail.albins.com.pe 15->34 22 C:\Users\user\AppData\Roaming\...\Appelix.exe, PE32 15->22 dropped 24 C:\Users\user\...\Appelix.exe:Zone.Identifier, ASCII 15->24 dropped 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->36 38 Tries to steal Mail credentials (via file / registry access) 15->38 40 Tries to harvest and steal browser information (history, passwords, etc) 15->40 42 2 other signatures 15->42 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f6b86d0306f28cb8428439924d19c732db483fcbcb15b2a27345ca6fa0f9f30/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-06 12:47:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
15 of 35 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5vynubqn4umxbbiiomsjum4omw3ja74xsyvwkrhgrokn6qpt4ya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3
AgentTesla
20c98ec48a5ee8e4c51f806712ad69bdda873da9ae3c4d2fba764bcc3b899c6f
AgentTesla
24eff453781c287faa8e26134cd992f207f03d34b8d2f0e45dd94156ecf6e43e
AgentTesla
2cc853199871e54dd159e1ca956ece289182ffc70cd4dc7e033f6b25cfdc554c
AgentTesla
560d725c51733509f17d4a1b647cb5cfea3f400cfcc9cbab82da116419db1297
AgentTesla
679fce623ab731aa15f24b1f2ad923b2a6abbb4d21afd2f8abadaa09469d9925
AgentTesla
892ec6b7d5d18610afae6178542d991ee4b6b47adc7b61a02f78cc270f0cb84a
AgentTesla
bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f
AgentTesla
d3b65364294db215de9055446d7b2b7e5189ac195b5e66eaf88e1bf91ce8a4e0
AgentTesla
e9de2220f0ea83ae236804774762da3025278c743882602910601ab43a7d0cdd
AgentTesla
+ 41 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230406-smwm6adf22/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
799c928d716f44a917fe976855c0871ba1ad857ee799a92f277c72f59a77b212
MD5 hash:
a90be4d43922e15b533cde778d14a756
SHA1 hash:
eb6bcac0fbd76ef3e895233b7541b70072444a4b
Link:
https://www.unpac.me/results/c23c24c2-d4cb-44a6-aed8-6369e46c363e/
SH256 hash:
78263b569d4f9ed2016bd9c29718f62e55413cd4ca0106295c0443fafdc085d5
MD5 hash:
aef59f95e1a844e2551c8f3b4ef5a3b8
SHA1 hash:
d93e7ad3d586dfdee6b1c99db9237760671dd928
Link:
https://www.unpac.me/results/c23c24c2-d4cb-44a6-aed8-6369e46c363e/
SH256 hash:
7d07775b65fc6ee5cbc9766e797c3d3ace8f640f2600818f1c8cb5cb540c0ac0
MD5 hash:
410f973045bb44e092aea3f76ce117ba
SHA1 hash:
c09b8d7035d8df1a5ed9b2d5004fa047b89c4a36
Link:
https://www.unpac.me/results/c23c24c2-d4cb-44a6-aed8-6369e46c363e/
SH256 hash:
7f7d0bcd47896c7c3646ad3b1d153ab9995dd8135b8d5b6aea3dbda3d594907a
MD5 hash:
9fdbd5771d6ce52b1d01e5d82521fb92
SHA1 hash:
914563da2287edef506bb27b4caff60ad3da37aa
Link:
https://www.unpac.me/results/c23c24c2-d4cb-44a6-aed8-6369e46c363e/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/c23c24c2-d4cb-44a6-aed8-6369e46c363e/
SH256 hash:
8f6b86d0306f28cb8428439924d19c732db483fcbcb15b2a27345ca6fa0f9f30
MD5 hash:
e86c5b39ed8c59bfb4f4d2fc4f07c838
SHA1 hash:
0c4bfccb137ad9de4c95ab9cdd1b59ac162b64a7
Link:
https://www.unpac.me/results/c23c24c2-d4cb-44a6-aed8-6369e46c363e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f6b86d0306f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8f6b86d0306f28cb8428439924d19c732db483fcbcb15b2a27345ca6fa0f9f30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 8f6b86d0306f28cb8428439924d19c732db483fcbcb15b2a27345ca6fa0f9f30

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/380675/
  
URLhaus
https://urlhaus.abuse.ch/url/2596567/
  
Delivery method
Distributed via web download

Comments