MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5
SHA3-384 hash: 0cfd6dd2f6310516a72cbf8d28a5f67319aa4d238b9f9cab9609e4abc2b94de79243f76ad6f2a85125d9c96ffb7c6f22
SHA1 hash: 93513c5167cdac29e143f8e261919444f0bb0086
MD5 hash: bfd128de9adeb46762540aee07409350
humanhash: freddie-xray-green-spaghetti
File name:RTK-0983456709.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:973'565 bytes
First seen:2022-10-21 07:43:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 24576:XblNEEKXxjasYwA1OorUsXQAKZNA46jgPdl:LlXKhj2V/g9uodl
Threatray 246 similar samples on MalwareBazaar
TLSH T1BB25F0362D73A029FEFCC0357DD4B391426879BFA9C90F86E604B9CA31B36C21A75561
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 66c29abaaaaaaa86 (20 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RTK-0983456709.exe
Verdict:
Malicious activity
Analysis date:
2022-10-21 07:45:54 UTC
Tags:
autoit agenttesla
Link:
https://app.any.run/tasks/f4b40fd8-d9ae-487b-b6b6-4ba751093c09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322216/
Detection(s):
Win.Malware.Autoit-9973193-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44079/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63524dc5fdf6478a15afaf16/reports/3e8a76aa-f737-4aec-b9b6-96e070e7c424/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/781d1f86-d50e-4dca-9170-ede01359d316
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094693
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found API chain indicative of sandbox detection
Found hidden mapped module (file has been removed from disk)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 727331 Sample: RTK-0983456709.exe Startdate: 21/10/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 5 other signatures 2->42 7 RTK-0983456709.exe 19 2->7         started        10 bykqtwdjloltc.exe 2->10         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\uoqqn.exe, PE32 7->20 dropped 12 uoqqn.exe 1 3 7->12         started        process5 file6 22 C:\Users\user\AppData\...\bykqtwdjloltc.exe, PE32 12->22 dropped 24 C:\Users\user\AppData\Local\Temp\8A03.tmp, PE32 12->24 dropped 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->46 48 Found API chain indicative of sandbox detection 12->48 50 2 other signatures 12->50 16 uoqqn.exe 2 12->16         started        signatures7 process8 dnsIp9 26 posta.ni.net.tr 89.252.128.115, 49699, 587 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 16->26 28 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->28 30 Tries to steal Mail credentials (via file / registry access) 16->30 32 Tries to harvest and steal ftp login credentials 16->32 34 Tries to harvest and steal browser information (history, passwords, etc) 16->34 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 03:08:46 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7uth2f7oy2q4guzd4amwevza4n2c72vq2qadyl5uspgrevmgt2q._file
Verdict:
unknown
Similar samples:
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
AgentTesla
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
AgentTesla
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
AgentTesla
886581e4b23e851f4244fb1a1d028e0ba1ed11d5b85868519cc606a40a06457c
AgentTesla
a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3
AgentTesla
d5edadd969395a3c5fd2a2cf9832684b11680480b5ca75b464988cff244a6d6d
AgentTesla
d6184367b93e40e22f209756274697796820542d46d80ef74d810b2b8785bedd
AgentTesla
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
AgentTesla
fae591d3e1cea136791a06b8c59265af25eccf0d30b8500c9e8c664708e1937a
AgentTesla
+ 236 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221021-jktlcaaag8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2fefad32-3cb5-4669-9a96-cef479024f04
Unpacked files
SH256 hash:
963e8cf8e1df3604fd6e6c163b9be24125dfb764196eb71e936dd01deae08004
MD5 hash:
306d61b898d8ca0ac21e0cea238dc164
SHA1 hash:
bb293cdaf8da2ae4d9bdb18a52626ca78cb0cb28
Link:
https://www.unpac.me/results/b07e8285-b0db-4f95-abf4-36c39af0e961/
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/b07e8285-b0db-4f95-abf4-36c39af0e961/
SH256 hash:
10f1a1b35f8896777e827072683a8a4726051b51515bfd90dfcbbe14bd201633
MD5 hash:
20e4454ad21ac6e1074aa3b3aacf5320
SHA1 hash:
16a7a2828698d27e859fddace1f0f02ac01876f2
Link:
https://www.unpac.me/results/b07e8285-b0db-4f95-abf4-36c39af0e961/
SH256 hash:
8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5
MD5 hash:
bfd128de9adeb46762540aee07409350
SHA1 hash:
93513c5167cdac29e143f8e261919444f0bb0086
Link:
https://www.unpac.me/results/b07e8285-b0db-4f95-abf4-36c39af0e961/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fe933e8bf76/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 50af107e222511f18c5abf1a2c5e3327b282148e5d76b086559fda85e3b01d04

AgentTesla

Executable exe 8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 50af107e222511f18c5abf1a2c5e3327b282148e5d76b086559fda85e3b01d04
Cape
Cape
https://www.capesandbox.com/analysis/322216/
  
Dropped by
MD5 4f62e76a76917d307ad36d8911d083a3

Comments