MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8
SHA3-384 hash: 417217a945179f27abcb82a5345ca260172edacf43e51f596106f7692fe840a87379ad73b03acf4d55f8ee05909a1b48
SHA1 hash: 473e7f140f156c314b3e3ead8b6b56c41cf85dcb
MD5 hash: 8dce8d6d7b6173caadb2adace9ca8799
humanhash: pasta-oven-three-shade
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:728'576 bytes
First seen:2021-01-06 07:44:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:q0ZmOJKNCdzL0/AQj+TmHPN9+b9qbvbSvhXCx:q0ZrLKj+C3+b9abIUx
Threatray 2'077 similar samples on MalwareBazaar
TLSH 6BF49D1377F9A640F0BA2B749AB0443097F2BC47962EC53D58D5704D09F2A80A9BA7F7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gmail.com
Sending IP: 185.222.57.135
From: Zubair Razavi <zubairridawi@gmail.com>
Subject: RE:PURCHASE ORDER
Attachment: PURCHASE ORDER.rar (contains "PURCHASE ORDER.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:47:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e2618d44-5781-49ca-bf26-84845c4984b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110695/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574887
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 03:34:48 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6ejkia3iawgr3w22q3e2sqiob3ftgqp6ylrthmrwfmr6eisnhea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
137786f20b01ea831020cafde76ca06e6bdb2304525692aa46a7b98207b6bd93
AgentTesla
44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e
AgentTesla
7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c
AgentTesla
81274d23515440feac07a591db64f946640ab3a4350bbfaa0d955ced83175fb0
AgentTesla
a72ee397635337a52d81d5a1d5bea4c48a375af13dc2848737f21c0577ab17b5
AgentTesla
aeb1aab3be5b90cb85bfe28f0e092c83fee4a742a9cda7b0d8a6e464e6fa7342
AgentTesla
c2b31bcc1986833d18247dcdd78c61d6b70158226f42f7951f1294bc2a370048
AgentTesla
c715ce8e0a9a7a56e405f5d8ab9c20784c0380dc9fac45ee5f091f332bdb6b6f
AgentTesla
c7c371104c985df2506b6f9b0e4133e61c96e45d9f96a9961369d52e9f9f972b
AgentTesla
fd487c8892d4d57d7efa830b72648b2c5234ba09a0dfdced267bf5943a1861a5
AgentTesla
+ 2'067 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210106-lg7pp4bmvn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8
MD5 hash:
8dce8d6d7b6173caadb2adace9ca8799
SHA1 hash:
473e7f140f156c314b3e3ead8b6b56c41cf85dcb
Link:
https://www.unpac.me/results/230857bc-d23a-45e7-a03e-75ecea1374cf/
SH256 hash:
0759e55dae527464c28d1b84eb6ad517dc9faf34a5ad10d55f652cb410a28f21
MD5 hash:
0ec82c5999a9391b7628d336f567b104
SHA1 hash:
0bd5978b480d87c0227a4bc7d12a761ae870d1aa
Link:
https://www.unpac.me/results/230857bc-d23a-45e7-a03e-75ecea1374cf/
SH256 hash:
2061665ce2f8457e21ad77ebfe45a7f01b30c4c02a5186f33b96210ac682d8c4
MD5 hash:
f3fd0b8b0ffde84fbe8dfdb2c974ad5a
SHA1 hash:
3a99a1f85c48a65e7d596568135c7f81b0962cbb
Link:
https://www.unpac.me/results/230857bc-d23a-45e7-a03e-75ecea1374cf/
SH256 hash:
6be54d5904565bcbf0ee30804ac44bdf8cf964a7a2321c86de83566c96994148
MD5 hash:
62953083aefe9c8d6998659d0928f773
SHA1 hash:
638fd34089ec2eccae353d21983c86b69ad05d5e
Link:
https://www.unpac.me/results/230857bc-d23a-45e7-a03e-75ecea1374cf/
SH256 hash:
5c391afa30864b8b707f8f5b0a09b2bd4bb9a5eda766bc85666784a11fec1b88
MD5 hash:
a903673f6eeae1a9a581e31613efe9f2
SHA1 hash:
f975e5a2b0d16628d0fbd5cdf7cdbca24b8ec8c1
Link:
https://www.unpac.me/results/230857bc-d23a-45e7-a03e-75ecea1374cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 5dc555294277e9a675780bb9825a692df4c2c3569523d0337f6e7bd0fdc55eed

AgentTesla

Executable exe 8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8

(this sample)

  
Dropped by
MD5 fdaa2104cc7d8545e4a69bd4e2ad317d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110695/
  
Dropped by
SHA256 5dc555294277e9a675780bb9825a692df4c2c3569523d0337f6e7bd0fdc55eed

Comments