MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8072fa4c996469237d87f00bf119f5f5f20b5dc120aea78c92c1230802af4a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8072fa4c996469237d87f00bf119f5f5f20b5dc120aea78c92c1230802af4a3
SHA3-384 hash: b36c126add0ea5b1fb44cc36893ee38d8e5f3c260e29851e483e9c3132b8f16f946c335ac31fd39a0c2e07fce10f5362
SHA1 hash: 430b42b9fc40e038c636df5bae9135c86aa941a7
MD5 hash: 8a0568bcc84dd094d5d0f40d2fddaf19
humanhash: salami-zebra-nineteen-edward
File name:Remittance_Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:636'928 bytes
First seen:2021-09-15 07:56:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:6ekRhWHCM2K4CqUxijIJC/rpcBYdGuEL9sfTc6rDVytm3kBLeoVzNc1F:cD3ClkUw/rpcBbJsf91yEIjc
Threatray 9'873 similar samples on MalwareBazaar
TLSH T1FBD4D02439EA5C0AF033AFF95AE4F1B69A7EB7733602D45910F10347EAD2A42DD90539
dhash icon 3e3d697e3c3c1f1f (11 x AgentTesla, 7 x Formbook)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance_Copy.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-15 09:40:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c7c5375-12c3-4e68-a984-7889c02dff03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188055/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Agensla.ic.13582.27417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617516cadb358dd15ed9244a/reports/5c447129-5293-4a80-8449-47cdcb975537/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05e4c319-2887-481b-a0b4-3dd81f87b0d1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851182
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b8072fa4c996469237d87f00bf119f5f5f20b5dc120aea78c92c1230802af4a3/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 23:42:48 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xads7jgjszdjen6yp4al6em7l5psbno4cifou6gjfqjdbabk6srq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
463b749e715a232c611c3784cafa80af4f497916a5957f4459cf3211859c0220
AgentTesla
5708ed38a76d2e65acc99091556fc5dae4d1d969420322478a00089782a3e613
AgentTesla
730455b356fe27cddb15b8396a6a23b18437c8c2f2d71715e3e43cbb43e9f3df
AgentTesla
a11423bc4211ff87bc33c3ebdd044bbea3ecbeec7b837ef2eb73b2a3569b90a6
AgentTesla
a33b1f58ac2ddf96535d053fc53ef6fd38ffdfd6d4109e5418257128da752379
AgentTesla
a7cc7147bb5b95baab5c49330b99e8bc2fa1fc454ec5fe51a1ca2f287b24f67e
AgentTesla
b062fc8177987ce13c4fbcbad8ca4c0ede3b6db5be1a4017ac214159dc37fe9a
AgentTesla
c8b5ad6ec571b93bce7b6ae25501d622eb7fda462b02455ff7bd9aaaace29aef
AgentTesla
f0e506d7f850788f27f3eeea42d47c0f3d21c46b8b0c3c6b9c108fa9f724ea40
AgentTesla
+ 9'863 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210915-js9mjadcaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
171b0205f1d7f6efb9b6fc68fc193d00edaa60f4ec957fd3d93b68d9d1d5c85e
MD5 hash:
643b22059d4c333dd103e7164cdeb660
SHA1 hash:
d3a5cfae0c0cd2f48067a86629b6d5d9a3976168
Link:
https://www.unpac.me/results/c073f526-2fd1-44c6-81ee-5ddb07257af3/
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/c073f526-2fd1-44c6-81ee-5ddb07257af3/
SH256 hash:
ebccf4122d8ae76708d2ca3bc547e520d5bf11e21509eda40d51b99c5bfee335
MD5 hash:
dc7663211b9d87234cfe8c89e7bb569e
SHA1 hash:
550f9af741ed899ae5033005e549c6b056646d64
Link:
https://www.unpac.me/results/c073f526-2fd1-44c6-81ee-5ddb07257af3/
SH256 hash:
b8072fa4c996469237d87f00bf119f5f5f20b5dc120aea78c92c1230802af4a3
MD5 hash:
8a0568bcc84dd094d5d0f40d2fddaf19
SHA1 hash:
430b42b9fc40e038c636df5bae9135c86aa941a7
Link:
https://www.unpac.me/results/c073f526-2fd1-44c6-81ee-5ddb07257af3/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b8072fa4c996/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8072fa4c996469237d87f00bf119f5f5f20b5dc120aea78c92c1230802af4a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b8072fa4c996469237d87f00bf119f5f5f20b5dc120aea78c92c1230802af4a3

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/188055/

Comments