MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e
SHA3-384 hash: a483f9a854899cfcbebf51377c5eb63ae6d268ead807e7d231c3f4e526c395123bc48383bdde81681c7ef6a691147ad3
SHA1 hash: 31cd644977d90a8a060886aee8de0c880d6b3ba7
MD5 hash: aeb5aec0cabfdad17f8e2804db8f2e32
humanhash: moon-georgia-iowa-november
File name:a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'376 bytes
First seen:2023-06-08 10:31:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:H8rgLb4/axC0HCES+CiSWFJYMfPv4BRELtfAZz6L/BYU:HswUaHS+4Nv2LtYZo
Threatray 2'398 similar samples on MalwareBazaar
TLSH T172E4E12023D48B4FD12B5279C8E5D2B01776ED94A476CA874FD9FC4FB5FB2A2127210A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0d090941453690d8 (1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e
Verdict:
No threats detected
Analysis date:
2023-06-08 10:32:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89660a0b-08bf-4768-8814-0b9e796ae0a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396891/
Detection(s):
Win.Dropper.Formbook-10002417-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/6481ae2253bdc73e916f438d/reports/98579bf0-8b71-4f5a-b7e5-866d1d61156c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/191602d9-03ce-4951-83f5-2590cbbdbdbd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251082
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Found malware configuration
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884103 Sample: UQ9bUET6V1.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 7 UQ9bUET6V1.exe 7 2->7         started        11 GPivrOV.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\RoamingbehaviorgraphPivrOV.exe, PE32 7->31 dropped 33 C:\Users\user\...behaviorgraphPivrOV.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp3B90.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\UQ9bUET6V1.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Contains functionality to register a low level keyboard hook 7->61 65 2 other signatures 7->65 13 UQ9bUET6V1.exe 15 9 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 21 GPivrOV.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 mail.forouzanyazd.com 62.3.41.235, 49695, 49699, 49700 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding Saudi Arabia 13->39 41 api4.ipify.org 104.237.62.211, 443, 49694 WEBNXUS United States 13->41 47 3 other IPs or domains 13->47 67 Installs a global keyboard hook 13->67 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 173.231.16.76, 443, 49698 WEBNXUS United States 21->43 45 api.ipify.org 21->45 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 11:38:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vczxsu7fl356eh2zozbxpmofeoq3xvs26v53ftdux4mpoj57xwpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
166321f2bf53cab5d536489d145e913c75727473627922b9ce53e0dd8b40e99d
AgentTesla
225db11a76895f4acb6660a727f05ac9b2dadefadb1fb6ee505654b367c33b5f
AgentTesla
3836e97722f2267266161a857140dfda9731e6bcec5147169c86410a39ac24e7
AgentTesla
87089c3324fbcadd16d3535a3eb947c630d135d0d939cbcaaac7f891b7a53285
AgentTesla
ad06dd86354aa9e61e6de1aabf9efa7539fb13edb2e23e1eb63b86d59203e55f
AgentTesla
b3303273446384f72e2a0f90c455f69598f341164c2bcfded2cf95b30e3a9295
AgentTesla
c8f04635049883e3151531fd25e7e0d3f50b336c5beed67923844d9de861cf79
AgentTesla
cce0243baf6140b9d0bc6360f85b7d2eb7d769d7d6dd25a5991ab9cc12465b58
AgentTesla
e3e6d851f1598eb145492e46d7431f72436178f1a60ebc4d6742839e12d52200
AgentTesla
ead1c91568b30168ec9a7685aa357b541c7da50ed5fcfd3d799c1a052d9e1f6f
AgentTesla
+ 2'388 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230608-mkyrvaec49/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2907ceb0aff33154a49177d6e04e822538f3fb439a55264cdf84b162564afea6
MD5 hash:
ae06e9b9c5d6df3bdb39fbbc75d9b9cd
SHA1 hash:
b03aff7dda4462819b1250e44d80c83aca37237f
Link:
https://www.unpac.me/results/443a15a5-8291-4d96-9587-5d38b209607c/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/443a15a5-8291-4d96-9587-5d38b209607c/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
9753ff02af54ebd5d4530af5060deca0487cb6bce0fa6bc95de1efab51a7251e
MD5 hash:
244a6401b0b7619ab1415598c403334d
SHA1 hash:
57602c86c5963ca7201a5435645ebb076381b046
Link:
https://www.unpac.me/results/443a15a5-8291-4d96-9587-5d38b209607c/
SH256 hash:
a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e
MD5 hash:
aeb5aec0cabfdad17f8e2804db8f2e32
SHA1 hash:
31cd644977d90a8a060886aee8de0c880d6b3ba7
Link:
https://www.unpac.me/results/443a15a5-8291-4d96-9587-5d38b209607c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8b37953e55e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8b37953e55efbe21f59764377b1c523a1bbd65af57bb2cc74bf18f727bfbd9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396891/

Comments