MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8db61754cfe3eb3cde12a63eadb0631b3437bbbe05bb9c1bbf7d3f4af31a56d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	a8db61754cfe3eb3cde12a63eadb0631b3437bbbe05bb9c1bbf7d3f4af31a56d
SHA3-384 hash:	ffe016984241128aea75dc8d184b2907b5055f1ff04535e6e9c17a6d68d48ab12728518fabd98e36e6a19e685fe74540
SHA1 hash:	e799abf182ebbda566506ab24d1c3291d2b5045c
MD5 hash:	74413d410ade63316e64fd13643c5472
humanhash:	hamper-india-whiskey-eleven
File name:	UPDATED SOA (2).exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	493'568 bytes
First seen:	2022-11-25 19:22:03 UTC
Last seen:	2022-11-28 15:15:27 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:3gJKPIrufvlcmVUZ7DkosENw2xyVbzUh/e237lEXO52I4mYF+:3sKPmql7VUZ7PsECxXi2s4
Threatray	667 similar samples on MalwareBazaar
TLSH	T15CA4F109C19D5FB6C6C417B0DA9C270388BD1E75A5B4C6EE0B9C7A8B1B9CF6812F7121
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

UPDATED SOA (2).exe

Verdict:

No threats detected

Analysis date:

2022-11-25 19:23:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a7378deb-0f76-427d-9e67-9f94f13ce621

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/338579/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1690.5547.13129.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638115e15be128ac718edf53/reports/b96626f3-8174-4492-b59d-59a5cf4c2443/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/92512cfd-5b3d-4528-b00f-1e6aa361459d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1121340

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8db61754cfe3eb3cde12a63eadb0631b3437bbbe05bb9c1bbf7d3f4af31a56d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-25 05:24:21 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdnwc5km7y7lhtpbfjr6vwygggzug6534bn3tqn367j7jlzruvwq._file

Verdict:

malicious

AgentTesla

0032f7e4b264ebd2285cc52705e82dd93caed258069f3c32b341d7c1d7948397

AgentTesla

26e9c2f05c547a575d40b66a4feb317af53b65062611eea7ed6005e0ed88d1e9

AgentTesla

585a367610ffd8f7ae17423b182ec60048ba49a3ead6f2f84a2e4ad3fbd0195d

AgentTesla

623c410c316befe7e6cf4d8459bc0d112d7462b40dd31c524f10f268f1ef378e

AgentTesla

7a3d9a2e7fbcdd35fa3c5c195892b4c7940c669cde48def4832aa7e91736d532

AgentTesla

a6f687d95308fd4d110ee7f8b07d3992e35802042f2d68c6216a5606b9ef8ab8

AgentTesla

c09e4ce0e0baa34a9c9043f4116639a4e0513d953135b4408fc5a5f02a9d2b58

AgentTesla

+ 657 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221125-x297bacf7w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e216437a-06a1-4cc0-9d1a-c2f536ab6124

Unpacked files

SH256 hash:

a8db61754cfe3eb3cde12a63eadb0631b3437bbbe05bb9c1bbf7d3f4af31a56d

MD5 hash:

74413d410ade63316e64fd13643c5472

SHA1 hash:

e799abf182ebbda566506ab24d1c3291d2b5045c

Link:

https://www.unpac.me/results/43434e42-c8f5-49b7-98cd-03d31e521779/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a8db61754cfe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/a8db61754cfe3eb3cde12a63eadb0631b3437bbbe05bb9c1bbf7d3f4af31a56d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f66dd0ab944c5482c3ac75506795bdb9ad1b849a4ab4667b53e02ea7f933f994

AgentTesla

exe a8db61754cfe3eb3cde12a63eadb0631b3437bbbe05bb9c1bbf7d3f4af31a56d

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/338579/

Dropped by

SHA256 f66dd0ab944c5482c3ac75506795bdb9ad1b849a4ab4667b53e02ea7f933f994

Dropped by

MD5 4284b3b5164b8df48631c9cf87d19e2d

Dropped by

SHA256 487d9f829469177c124d791f2b4769f31e6c1c1dd695b52dacefee4e2061859d

Dropped by

MD5 87b096e6eed114266570138e11cabd40

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample