MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fd87a74ea9ed9ce7c20c2a2c89f9170e97c772157e4dd1ca74b341fa6f8c6ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fd87a74ea9ed9ce7c20c2a2c89f9170e97c772157e4dd1ca74b341fa6f8c6ca
SHA3-384 hash: 596292312bfbab96133dc08cf7a7f4db88ea5306c056f9597c6772e7572db2bd4c275f343de86f990af9a8b0840f2429
SHA1 hash: 8c8c6dd9ad21ff180656c34c97813276da7c0d09
MD5 hash: 1996b49a1a248983727546c565dcb08b
humanhash: edward-mike-pluto-muppet
File name:SOA_FEBSHIPMENTSpdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:357'441 bytes
First seen:2021-03-03 10:50:33 UTC
Last seen:2021-03-05 15:02:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:l8LxBjvyi3ah9Uka7Ipd3kwmdaAVX2hcs18iSifuQKD1cFsIJRhMNj9HSi9ZmC/q:03qhCkBpfmdxVm1SifuQS1msIJRhMNoR
Threatray 2'955 similar samples on MalwareBazaar
TLSH D774128646C3E5F2E9E385B05D3A552DFA3BC20C6053A5DB87EE3EBFCA284428747145
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
5
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA_FEBSHIPMENTSpdf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-03 10:52:08 UTC
Tags:
rat agenttesla trojan
Link:
https://app.any.run/tasks/bc9d4a99-c6ab-4fe3-b9d3-78ee3c36deb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/121323/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
0 / 100
Link:
https://www.joesandbox.com/analysis/625913
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8fd87a74ea9ed9ce7c20c2a2c89f9170e97c772157e4dd1ca74b341fa6f8c6ca/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 10:25:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7mhu5hkt3m447baykrmrh4roduxy5zbk7sn2hfhjm2b7jxyy3fa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
013066864283e4be87e7bd39b6e75ef40e98014377d520ffd213a8de2d59923f
AgentTesla
4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16
AgentTesla
569d9358801eb518b152cb73009131508a3f14b136b0eb80025ccf438865a440
AgentTesla
8c989590fb2f881b51dc6375f584065692eeb4e67b676997a3a852581df317a9
AgentTesla
8cdb536378c7a12bb65333b52664cb99cd74a8b14afbc1b74ae73111b8edfc57
AgentTesla
938a1c15eab21846b96971f70eac4ef78f273adf89d6305aee7b91f5212e9013
AgentTesla
94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc
AgentTesla
95c008fdb0ff81d4b148fac86341f08e5ee8dc036b4f4a1a6d4140c98ae2a136
AgentTesla
a67f9172ca1a41d7403d46be868448d83c1c80a1dbdd714b4122a62470ebb00a
AgentTesla
b0f770f98c7385bdc31fdb8429b6d6e31e40a005cfdaeb9539f92eac357ba486
AgentTesla
+ 2'945 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210303-l6x31regbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a11d00cc28e488c736df9d7ec9d68903af848004e0aff18f471f47904d47fb42
MD5 hash:
9269c6a1b7578a26bb8d88d459778c46
SHA1 hash:
fada7cf9bf009d7fb65f95ab27505d36ac456e8e
Link:
https://www.unpac.me/results/c620b2f7-0b32-4896-90c3-458c0a6a6941/
SH256 hash:
c9e3a3b560eecfc2fd7da1dc3da262c6a223e520b3538001b363a2ecaf8026d7
MD5 hash:
c58b02192424ebdba9dbffb0b3a6c380
SHA1 hash:
c11f711a46a569a042458c474b99bed874237817
Link:
https://www.unpac.me/results/c620b2f7-0b32-4896-90c3-458c0a6a6941/
SH256 hash:
91390feca7164a9b256fbfdb162f2f050d609dc3e25a8012e53d80c13e65697e
MD5 hash:
1a66de8ac7f13a6309381403eb7f4af8
SHA1 hash:
43c057048c9b132a75e0f0140071cc0d04263058
Link:
https://www.unpac.me/results/c620b2f7-0b32-4896-90c3-458c0a6a6941/
SH256 hash:
1849404613812e448659efda13fc3cd822745b49e0dbdaf7dec20fbb7269a6af
MD5 hash:
fc38004dcfdb56fe063e1dc660be4cbd
SHA1 hash:
474b7a1195ba2aa7e0054249b7bf56db8de78bc0
Link:
https://www.unpac.me/results/c620b2f7-0b32-4896-90c3-458c0a6a6941/
SH256 hash:
8fd87a74ea9ed9ce7c20c2a2c89f9170e97c772157e4dd1ca74b341fa6f8c6ca
MD5 hash:
1996b49a1a248983727546c565dcb08b
SHA1 hash:
8c8c6dd9ad21ff180656c34c97813276da7c0d09
Link:
https://www.unpac.me/results/c620b2f7-0b32-4896-90c3-458c0a6a6941/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fd87a74ea9ed9ce7c20c2a2c89f9170e97c772157e4dd1ca74b341fa6f8c6ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5cd5fcc2cddac54296f4c79db7e8a2b5464ece383d19d74ffb37a455441639ff

AgentTesla

Executable exe 8fd87a74ea9ed9ce7c20c2a2c89f9170e97c772157e4dd1ca74b341fa6f8c6ca

(this sample)

  
Dropped by
MD5 d0e4dcc09fe01a109ee7af7b6102d193
  
Dropped by
SHA256 5cd5fcc2cddac54296f4c79db7e8a2b5464ece383d19d74ffb37a455441639ff
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/121323/

Comments