MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8e152a1b5793eb4ca893a1f011ec3e2ca4c15456e174eef8cfe1849cdcc8b4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8e152a1b5793eb4ca893a1f011ec3e2ca4c15456e174eef8cfe1849cdcc8b4b
SHA3-384 hash: 73958659f1d3311c8574515f82363d6ddf1f67896198cefb30d528e1a61067806c0bc15d8e6bc2886e9b8147cc3dcfed
SHA1 hash: cdacb97f5b3cca0bd495ba7996436212a1e13bdf
MD5 hash: 54be0316d0cdc3289d1f607ff3cb7a6b
humanhash: yankee-hamper-autumn-twelve
File name:New Order 290921 MISC Equipment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:753'664 bytes
First seen:2021-09-30 08:49:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:8TbQ+X8+UiDLbRHahEUfpya3SA4fYbJPHzAgq5RfSj08u1WKO8c6rzF5UPeoX0tU:0bQ+X8+UiDLbRHahEUhDS4PHMb5Rqj7W
Threatray 10'513 similar samples on MalwareBazaar
TLSH T136F49D54F11CD2B9FE1822B1253DFCC81AF82EA8147DE91BB9D7B1E224B9E3154B0197
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193438/
Detection(s):
SecuriteInfo.com.Variant.Fonctuzim.1.13267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ea3614e-b382-445d-8182-18585a397b2f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861732
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a8e152a1b5793eb4ca893a1f011ec3e2ca4c15456e174eef8cfe1849cdcc8b4b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 08:50:14 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdqvfinvpe7ljsujhipqchwd4lfeyfkfnylu534m7ymettomrnfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c06547933dd0526f3e84b27ced5f01b66056fd3f8ca0e14209f0b4d5b859826
AgentTesla
1f332e13d0ba87a0dbbed2a27f3fa73be40d1b2468f95ddc4e18b3395947cd0c
AgentTesla
20f250ce18c73f3aecba1a2de30602b2d0bf6d138f447bc673ae50dd870acf03
AgentTesla
87dc8550515a6cdbb0de635690b0fc47151240e23763969d783a3a2695219e25
AgentTesla
90f3e806ddb15adcbeebef4b60d347a57bb55821eee0cf0319b4c23ec4bca284
AgentTesla
936608d2a9bcf770c5879d864baa83de91b629def3ad6eaa4cabb230eb8cd52b
AgentTesla
a71c1017c4c9f946f6c8b5327cf1a55d72b00f6cb2dd3a08b31fd3122a1ddb48
AgentTesla
ae0c09e5560968c147bfd8772fb490c9f867b37e14603021f9e2162947ed45e4
AgentTesla
bc50012fa15569587a9b3b399c034e50d5b3382433f9407158ba7104fc38edda
AgentTesla
e70ececee876665e0207b269f3b979c8edaaca83b6b60a569ff37211382540b5
AgentTesla
+ 10'503 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210930-krml2shbcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
595f66f0186756b0b5b29e45dbad47659ec59eca7fe36dbc41540aca608b44d4
MD5 hash:
9ea6a85b7c0c9b915147955124b16a34
SHA1 hash:
fc5743eafd2809d407b5235caa24dadc61358f9f
Link:
https://www.unpac.me/results/b8b0ae3a-923f-46f5-95d0-625b131fcbaf/
SH256 hash:
6fef8420a8bd6a90cfe7ac8aeb0e3811422b9b6cb9e0b14ea03f5236438f72ba
MD5 hash:
10c7772f435231d58046e0dc34def127
SHA1 hash:
38c8f9ffb5136848d62582ef41bab6c810121c74
Link:
https://www.unpac.me/results/b8b0ae3a-923f-46f5-95d0-625b131fcbaf/
SH256 hash:
81ae491967ccc8fe408be2a3027528fe39624fd89fd6b83f4cd41c72e5223270
MD5 hash:
896d516f552406e96a258357177ff713
SHA1 hash:
1c37a1567e53ce03f00daa819ca8a3cafc4c700a
Link:
https://www.unpac.me/results/b8b0ae3a-923f-46f5-95d0-625b131fcbaf/
SH256 hash:
ceefa4913348f17df2ad1ad5cad37f35177763c2d341556a699ae36f344a1dd8
MD5 hash:
d6e30619ff747656f5fe6b9b0703c2f7
SHA1 hash:
19312664283b9fd00ef06f48ae1b7ca35b793ca2
Link:
https://www.unpac.me/results/b8b0ae3a-923f-46f5-95d0-625b131fcbaf/
SH256 hash:
f7d272daf3522f99ca67b99bfe557564baba239104c7f20cef842f2e870bdf28
MD5 hash:
cceaca53d81061c0f1c6cf35ca7bf34b
SHA1 hash:
23ba45b249e0e4bdc5a8d4b4b07e2f7509cf85be
Link:
https://www.unpac.me/results/b8b0ae3a-923f-46f5-95d0-625b131fcbaf/
SH256 hash:
a8e152a1b5793eb4ca893a1f011ec3e2ca4c15456e174eef8cfe1849cdcc8b4b
MD5 hash:
54be0316d0cdc3289d1f607ff3cb7a6b
SHA1 hash:
cdacb97f5b3cca0bd495ba7996436212a1e13bdf
Link:
https://www.unpac.me/results/b8b0ae3a-923f-46f5-95d0-625b131fcbaf/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a8e152a1b579/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/a8e152a1b5793eb4ca893a1f011ec3e2ca4c15456e174eef8cfe1849cdcc8b4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a8e152a1b5793eb4ca893a1f011ec3e2ca4c15456e174eef8cfe1849cdcc8b4b

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/193438/

Comments